Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
83 lines (70 sloc) 2.27 KB
#!/usr/bin/env python2
from pwn import *
from string import printable
context(log_level='WARN')
def submit(guess, debug=False, live=False):
assert len(guess) == 32
if debug:
pr = lambda s: sys.stdout.write(s + '\n')
else:
pr = lambda _: None
p = process(['gdb', './smcauth'])
pr(p.recvuntil('(gdb) '))
p.sendline('set height 0')
pr(p.recvuntil('(gdb) '))
p.sendline('r')
pr(p.recvuntil('(gdb) '))
#p.sendline('b EVP_CipherUpdate\ncommands\nfinish\nx/8gx $rsi\nc\nend')
p.sendline('b EVP_CipherUpdate')
pr(p.recvuntil('(gdb) '))
#p.sendline('r auth -n smcauth/smcauth_syn.v -s %s' % ("B"*32,))
if live:
p.sendline('r auth -n smcauth_syn.v --verifier 13.57.20.216:8080 -s %s' % (guess,))
else:
p.sendline('r auth -n smcauth_syn.v -s %s' % (guess,))
pr(p.recvuntil('(gdb) '))
p.sendline('finish\ndel 1\nbreak\ncommands\nx/8gx $rsi-0x20\nc\nend\nc')
#pr(p.recv())
r = '(Breakpoint 2.*\n(?:0x[0-9a-f]*:\t0x[0-9a-f]*\t0x[0-9a-f]*\n){4})'
r2 = '(0x[0-9a-f]*)\t(0x[0-9a-f]*)\n'
pr(p.recvuntil('(gdb) '))
pr(p.recvuntil('(gdb) '))
pr(p.recvuntil('(gdb) '))
pr(p.recvuntil('(gdb) '))
data = p.recvuntil('(gdb) ')
data_parsed = re.findall(r, data)
#pr(len(data_parsed))
counter = 0
bitstring = []
for datum in data_parsed:
nums = re.findall(r2, datum)
if nums[2:] != [('0x1010101010101010', '0x1010101010101010'), ('0x0000000000000000', '0x0000000000000000')]:
continue
counter += 1
pr(nums[:2])
bitstring.append(0 if nums[1][1] == '0x0000000000000000' else 1)
pr('Counter: %d' % (counter,))
pr('Bitstring:\n%r' % (bitstring,))
#p.interactive()
p.close()
return bitstring
guess = [printable[0] for _ in range(32)]
x = submit(''.join(guess))
print x, sum(x)
best = sum(x)
try:
startidx = int(sys.argv[1], 10)
except:
startidx = 0
for i in range(startidx, 32):
for c in printable:
tmp = list(guess)
tmp[i] = c
score = sum(submit(''.join(tmp), live="--live" in sys.argv))
print tmp, score
if score > best:
guess = tmp
best = score
print "new best: %r" % (guess,)
print guess, best
'OoO{m4by3_7ru57_1sn7_4lw4y5_b4d}'
You can’t perform that action at this time.