-
Notifications
You must be signed in to change notification settings - Fork 0
/
exploit.py
80 lines (65 loc) · 2.22 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
from pwn import *
import requests
import argparse
import tempfile
import os
def get_url():
parser = argparse.ArgumentParser()
parser.add_argument("url", help="The URL of the ELF file.")
args = parser.parse_args()
return args.url
def fetch_file(url):
# fetch the file
response = requests.get(url)
if response.status_code == 200:
return response.content
else:
print("Failed to fetch the file.")
print(f"Status code: {response.status_code}")
exit(1)
def get_flag(url):
# create a temporary file-like object from the fetched file
with tempfile.NamedTemporaryFile(delete=False) as tmp_file:
elf_data = fetch_file(url)
tmp_file.write(elf_data)
tmp_file.flush()
tmp_file_path = tmp_file.name
# set the tmp ELF file as executable
os.chmod(tmp_file_path, 0o755)
# load the ELF file
elf = ELF(tmp_file_path)
# disassemble the main function
function_name = 'main'
if function_name in elf.symbols:
func_addr = elf.symbols[function_name]
print("-"*50)
print(f"Disassembly of the function '{function_name}':")
disassembly = elf.disasm(func_addr, 64)
print(disassembly)
print("-"*50)
# define the end address of the 'main' function
func_end_addr = "0x401142"
# run gdb
gdb_commands = f"""
break *{func_end_addr}
continue
info registers eax
"""
gdb.debug(tmp_file_path, gdbscript=gdb_commands)
if __name__ == "__main__":
url = get_url()
get_flag(url)
""" How It Works?
[rbp-0x4] starts at 0x1e0da (123098)
[rbp-0xc] is 0x25f (607)
jl 0x40112c loops while eax < 607
After the loop:
The loop sums numbers from 0 to 606, which is the sum of the first 607 natural numbers.
You can calculate the value of [rbp-0x4] after the looping finishes using
the formula of the sum of first n natural numbers: https://www.youtube.com/watch?v=dWunfFYQw0I
Sum = (n(n+1))/2 = (606(606+1))/2 = 183921
Final value of [rbp-0x4] = 123098 + 183921 = 307019
So, the flag is picoCTF{307019}
"""
print("-"*50)
print(f"Flag: picoCTF{{{307019}}}")